[Snort-users] Re: Statefull inspection on IDS - Stick

Stuart Staniford stuart at ...155...
Thu Mar 8 12:06:46 EST 2001

Avleen Vig wrote:
> > A Linux based snort will hit 100% CPU and start dropping packets.  The
> > stress on recording and disk IO is another problem.
> Errrrrrmm.. what specs are we talking about?
> This is very vague... It's like saying "The earth is big"... but how big? compared to
> the galaxy it's tiny, and compared to a worm it's enormous.

Seems like it's sort of irrelevant whether the IDS drops packets; its
output is useless anyway when attacked by this kind of tool.  We (Jim
Hoagland and I) thought of this possibility quite a bit when we were
writing a paper about Snortsnarf recently.  Tools like Snortsnarf help with
this situation, but only some.  If the attacker can genuinely randomize
every field in the attack packets, a single point sensor is going to have
an extremely difficult time coming up with a meaningful diagnosis of the

As the author of stick points out, being more stateful helps some.  It
makes it hard for an attacker tool to make the attacks look like they come
from everywhere at once.  This allows a well-designed console to isolate
the flood of alerts from bogus alerts.  On the other hand, if you are
stateful, and someone does something abusive looking towards your state,
you probably ought to alert on it..., this allows an attacker to create an
attack flood across many IPs, but limited to certain signatures.  And if an
attacker can sniff packets on the network he is attacking, then he can
produce a stick-equivalent even for a stateful IDS.

It seems to me the only way this kind of thing can be handled fully is by
distributed detection and correlation (which is very much a research
problem at present).

Folks interested in this might also want to read


Finally, a piece of ancient history.  The first use of this kind of attack
that I heard of (third hand) was that Tsutomo Shimomura was hired to do a
Red Team attack on the NIDES intrusion detection system that SRI had built
for the Navy.  He overwhelmed it with alerts (NIDES produced a separate
window on the console for every alert - ouch) before carrying out his


Stuart Staniford  ---  President  ---  Silicon Defense
stuart at ...155...  http://www.silicondefense.com/
(707) 445-4355                     (707) 445-4222 (FAX)

More information about the Snort-users mailing list