[Snort-users] Patch for stick

Max Vision vision at ...4...
Mon May 7 17:13:05 EDT 2001


Defense against forged attacks relies on the NIDS capability to statefully
inspect traffic, or whether the NIDS is protected by a firewall which has
this functionality.  In an ideal situation, the IDS would know whether a
given incoming packet were unsolicited, or if it was a part of an existing
exchange.  Snort doesn't keep state on all of the traffic that passes
through.

To protect against forged attacks, and indeed from many actual attacks,
you need to have your IDS safely tucked away behind your firewall.  If
configured properly, all forged attacks will register as unsolicited
traffic and be dropped before they reach your internal network let alone
NIDS.  If you are offering udp services such as DNS, then you are out of
luck - if you allow one stateless query from an arbitrary source, then
there is nothing you can do to limit this ingress traffic to that service.

The only proposed Snort alterations I have heard of involved watching
alert thresholds to indicate when a series of attacks may have been
artificially generated all at once.  This would only be an indicator, and
not a preventative measure.

Max

On Mon, 7 May 2001 Suchun.Wu at ...1953... wrote:
>
> Hi all,
>
> Does any one know if there is a patch for Stick attack for Snort 1.7? Is
> the new version of 1.8 resists 'stick'?
>
> Thanks,
>
> Suchun
>







More information about the Snort-users mailing list