[Snort-users] Seen this?

Gregor Binder gbinder at ...462...
Thu Mar 15 16:38:37 EST 2001


Max Vision on Thu, Mar 15, 2001 at 12:48:03PM -0800:

> probe/dns query).  Either stick is very poorly coded (not using believable
> settings for initial ttl, window size, etc) for they are doing some
> threshold like you said.  Depends on what they do once they detect a flood
> of alerts - start sniping everything from that IP?  Ignore it? :)

Don't forget that the flood could come from a whole lot of IPs.

Sniping everything wouldn't help much since the intended effect of
causing thousands of alerts would not go away, ignoring it would be ex-
tremely stupid, cause people could hide their attacks even better then.

They probably found a way to fingerprint stick, and used the opportunity
to be the first IDS which can detect it, regardless of the problem not
being the tool stick, but the concept of it. I would expect their
solution being more valuable from a marketing standpoint as opposed to
being technically sophisticated :)

> > Any ideas what can be done with snort, or is the thinking that it is
> > not a sensor issue, but an issue for the reporting tool to deal with?

IMO, that's a sensor issue, or maybe an overall security concept issue.
But my feeling is the sensor should not raise a few thousand alerts and
leave it up to the console (reporting tool, whatever) to decide that you
probably haven't been hit by the whole range of known signatures by 500
hosts in 2 seconds :) Having stateful analysis would probably help un-
til tools that are a lot smarter than stick will show up. On the repor-
ting side, I wouldn't go for tresholds, but rather for correlation of
alerts with firewall policies, the service configuration of a site, and
maybe alerts of sensors in other segments. This way it would be possible
to eliminate a lot of intentionally caused false positives. The same
goes for deploying a reasonable ruleset :)

cheers,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list