[Snort-users] Patch for stick

Fernando Cardoso fernando.cardoso at ...965...
Tue May 8 04:17:17 EDT 2001


I fully agree with you. That made me wonder how ISS RealSecure is dealing
with it. That's the only product I'm aware of that has a fix to deal with
stick. Since I don't think RealSecure is doing some sort of stateful
inspection, has anyone has a clue on how this fix works? My guess goes for
the tweaking of the alert thresholds in order to avoid CPU full utilisation
or disk filling, but maybe someone knows better than me.



Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso at ...965...     http://www.whatevernet.com/

> Defense against forged attacks relies on the NIDS capability to statefully
> inspect traffic, or whether the NIDS is protected by a firewall which has
> this functionality.  In an ideal situation, the IDS would know whether a
> given incoming packet were unsolicited, or if it was a part of an existing
> exchange.  Snort doesn't keep state on all of the traffic that passes
> through.
> To protect against forged attacks, and indeed from many actual attacks,
> you need to have your IDS safely tucked away behind your firewall.  If
> configured properly, all forged attacks will register as unsolicited
> traffic and be dropped before they reach your internal network let alone
> NIDS.  If you are offering udp services such as DNS, then you are out of
> luck - if you allow one stateless query from an arbitrary source, then
> there is nothing you can do to limit this ingress traffic to that service.
> The only proposed Snort alterations I have heard of involved watching
> alert thresholds to indicate when a series of attacks may have been
> artificially generated all at once.  This would only be an indicator, and
> not a preventative measure.
> Max


                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informa??o considerada confidencial.
Se o receptor desta mensagem n?o for o destinat?rio indicado, fica
expressamente proibido de copiar ou endere?ar a mensagem a terceiros.
Em tal situa??o, o receptor dever? destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply

More information about the Snort-users mailing list