OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Fooling NIDS
From: Martin Roesch (roeschMD.PRESTIGE.NET)
Date: Tue Dec 05 2000 - 14:42:57 CST

Really?! Can you provide more information about what was causing the Snort
crashes?

    -Marty

Crist Clark wrote:
>
> Matías Bevilacqua wrote:
> >
> > This idea has just occured to me (10sec. so don't blame me on it). Has
> > someone seen on the wild attackers fooling NIDS systems just to get security
> > personel running from host to host while silenlty compromising other systems
> > while sec. guys are occupied?
> >
> > I'm talking about something like nmaps's -D option. Make 20 alarms jump
> > while you're randomly hacking at one of those machines. Sure you'll gain
> > some a time to conceal your traces.
> >
> > What about setting off 1000 alarms just for fun? Could we coin that as ADoD
> > (Admin DoS)
> > ¿Someone seen this out there?
>
> How about Stephane Aubert's IDSwakeup tool?
>
> http://www.hsc.fr/ressources/outils/idswakeup/index.html.en
>
> He had some fun setting off false alarms vendors' IDSs at SANS in Monterey
> while he did a unicode exploit on a webserver. I've managed to crash Snort
> reliably with it too.
> --
> Crist J. Clark Network Security Engineer
> crist.clarkglobalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org