[Snort-users] Snot attacks and -z est option - regarding FAQ 1.9

counter.spy at ...348... counter.spy at ...348...
Mon Mar 25 05:45:14 EST 2002


Another question:
I have performed some testing with snot-0.92a attacks against snort during
the last few weeks.

The FAQ claims that snort is not vulnerable to such attacks, but I have
found some problems with snort during these tests. Some of them are fixed with
the 1.8.4 release but some are not.

One of the problems that I think I also have read about on this list is the
following:
Snot uses random IP Numbers. Running Snot against a snorted machine over a
longer period of time (I ran it overnight) without delays caused the system to
reach it's limits for creating new files. This in return caused snort to
terminate. 
Of course in a productive environment you will have reacted long before this
happens, because such attacks are very noisy and unlikely to happen. 
But it could be used in order to hide the real attack within all the noise
that snot generates, so some correlation is needed in order to eliminate those
"false positives".

Another issue is that I tried to reduce the alerts that were caused by snot
by using the
-z est option. That idea was based on my assumption that snot causes many
fake connections, i.e. no real connections are established. This did not help,
I still got most of the alerts. 

Of course the attacked system still had the possibility of resolving the
correct source IP through ARP, because attacker and target are in the same
network and so the target still gets the original MAC address and is able to reply
to the snotmachine.

Any comments, hints or advises are greatly appreciated.

Let me take the chance here to thank all the people on the list for their
great enthusiasm and eagerness to help wherever they can.


Greetings,
D. Liesen


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list