[Snort-users] FW: Nessus news letter #1--Snort does well

Steve Halligan agent33 at ...187...
Mon Feb 25 07:47:04 EST 2002

I did lots of cutting, but read below for the gist of it.  The entire
post can be seen at:

>2. Nessus 1.1.13 is out / New features in the 1.1.x tree
>Nessus 1.1.13 has been released ! Among the new features, 
>we have :
>- NIDS evasion functions for TCP and HTTP. See section 3 about these ;
>- Simpler nmap_wrapper plug-in: nmap shall now be in $PATH when
>  nessusd is started.
>3. A closer look at Nessus NIDS evasion features
>It came to our attention that Nessus was used more than often to
>test for the quality of a NIDS. A lot of people install a NIDS,
>install Nessus, scan a target and see if the NIDS is full of logs.
>Nessus was not designed to be stealth, meaning that however
>poor your NIDS is, there will be at least two pages of red
>alerts telling you it's the send of the world.
>So in order to really test the quality of NIDS, we've decided to
>implement common NIDS attacks, not in order to be stealth, but
>in order to stress NIDSes a little more than what is done today.
>3.2. Results
>We did limited testing of this feature -
>The Snort NIDS is remarkably robust in front of those nasty
>features, and it turns out they make Nessus even noisier ;)
>(version tested: 1.8.3 - www.snort.org)
>OTOH, due to lack of TCP stream reassembly, Prelude fails
>for these (and will detect a tcp slicing attack when
>short packets are going to port 80).
>(version tested: 0.4.2 - www.prelude-ids.org)
>If you stress NIDSes with these features, report us your results!

More information about the Snort-users mailing list