[Snort-users] Patch for stick

Martin Roesch roesch at ...1935...
Mon May 28 01:11:45 EDT 2001


ISS' "fix" was to patch their sensor so that it wasn't DoS'd by stick, I
don't think they suddenly added a bunch of stateful analysis to their
system.  Additionally, since they're closed source it doesn't matter how
ugly they make their code to pick up some of the signature things that
tools like stick do (set IP IDs, TCP window sizes, etc) to make
themselves "invulnerable" to them.  We don't have that luxury since the
attackers can examine our countermeasures and defeat them simply if
they're completely non-robust solutions like were most likely
implemented in the case of stick.  We have to do better since we're
open, which is kind of a pain in the ass.  (But hey, that's why they pay
me the big money...)  ;)


     -Marty

Fernando Cardoso wrote:
> 
> <SLIGHTLY OT>
> 
> I fully agree with you. That made me wonder how ISS RealSecure is dealing
> with it. That's the only product I'm aware of that has a fix to deal with
> stick. Since I don't think RealSecure is doing some sort of stateful
> inspection, has anyone has a clue on how this fix works? My guess goes for
> the tweaking of the alert thresholds in order to avoid CPU full utilisation
> or disk filling, but maybe someone knows better than me.
> 
> </SLIGHTLY OT>
> 
> Fernando
> 
> --
> Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
> Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
> Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
> email : fernando.cardoso at ...965...     http://www.whatevernet.com/
> 
> >
> > Defense against forged attacks relies on the NIDS capability to statefully
> > inspect traffic, or whether the NIDS is protected by a firewall which has
> > this functionality.  In an ideal situation, the IDS would know whether a
> > given incoming packet were unsolicited, or if it was a part of an existing
> > exchange.  Snort doesn't keep state on all of the traffic that passes
> > through.
> >
> > To protect against forged attacks, and indeed from many actual attacks,
> > you need to have your IDS safely tucked away behind your firewall.  If
> > configured properly, all forged attacks will register as unsolicited
> > traffic and be dropped before they reach your internal network let alone
> > NIDS.  If you are offering udp services such as DNS, then you are out of
> > luck - if you allow one stateless query from an arbitrary source, then
> > there is nothing you can do to limit this ingress traffic to that service.
> >
> > The only proposed Snort alterations I have heard of involved watching
> > alert thresholds to indicate when a series of attacks may have been
> > artificially generated all at once.  This would only be an indicator, and
> > not a preventative measure.
> >
> > Max
> >
> 
> >
> 
> _____________________________________________________________________
>                       INTERNET MAIL FOOTER
> A presente mensagem pode conter informação considerada confidencial.
> Se o receptor desta mensagem não for o destinatário indicado, fica
> expressamente proibido de copiar ou endereçar a mensagem a terceiros.
> Em tal situação, o receptor deverá destruir a presente mensagem e por
> gentileza informar o emissor de tal facto.
> ---------------------------------------------------------------------
> Privileged or confidential information may be contained in this
> message. If you are not the addressee indicated in this message, you
> may not copy or deliver this message to anyone. In such case, you
> should destroy this message and kindly notify the sender by reply
> email.
> ---------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list