[Snort-users] Patch for stick

Steve Hutchins Steve.Hutchins at ...277...
Tue May 8 17:26:22 EDT 2001

I don't have the ideal answer, but I can tell you how 
I deal with it in my setup.

I have the snort sensor logging to a remote syslog box.
On the remote box, the syslog received from the sensor
is monitored as it appears.
The (perl) script maintains an array for all alerts 
received from each src address. The script applies
threshold analysis against each array, so when it has seen
enough appear from 1 src address in an appropriate time,
it bangs out an SNMP & SMTP alert with the relevant details.
The script maintains timers against each src address so that
it won't kick out another alert until the timer has expired.
The script has another timer which will cause it to
remove all 'stale' alerts from the src address arrays.

This means that some perp can spoof an attack from as many
addresses as possible, but until the script sees so many from
1 src address, it won't alert.
Long term analysis is also done by ACID

Before implementing this script, I was spending far too
much time analysing alerts.

hope this helps.
-----Original Message-----
From: Fyodor [mailto:fygrave at ...121...]
Sent: Tuesday, 8 May 2001 6:59 p.m.
To: Suchun.Wu at ...1953...
Cc: snort-users
Subject: Re: [Snort-users] Patch for stick

On Mon, May 07, 2001 at 03:48:03PM -0400, Suchun.Wu at ...1953... wrote:
> Hi all,
> Does any one know if there is a patch for Stick attack for Snort 1.7? Is
> the new version of 1.8 resists 'stick'?

Not that I know of.. We could limit alerts flood by setting
up alert threshold I guess, but that's the best that could
be done here at this point. if anyone has any other ideas,
I'd be happy to hear them of course :-)

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list