|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: sidestep (was RE: Fooling NIDS)
From: Robert Graham (robert_david_graham
YAHOO.COM)Date: Fri Dec 08 2000 - 15:39:39 CST
- Next message: Robert Graham: "Re: FW: network based IDS"
- Previous message: Bennett Todd: "Re: network based IDS"
- Maybe in reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Maybe reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
How about a run with the "-norm" option, where the Snort should pick up all the
attacks, or the "-false" option, where the IDS should pick NONE of the attacks
(because there aren't any). I believe that Snort should pick up all attacks
with -norm; and if not, something needs to be fixed (e.g. install an FTP server
for it to interact with).
I tried to choose only attacks that Snort supports, though I didn't test them.
I've since found that the Whitehats Arachnids SNMP LanManager Enumeration
signature was changed a little when translated from an original Snort signature
list, so the SNMP attack won't trigger with that signature set (though I image
the problem will be remedied by the time you read this :-).
The key thing is that 'sidestep' doesn't test who has the most signatures, but
helps analyze how the IDS detects the signatures. Of course, it is most unfair
to Snort, but if a commercial IDS does no better, then why are you spending
$$$$ for it instead of using Snort?
Rob.
PS: I appologize for not testing this myself, but I'm on the road for virtually
all of December; but in any event, I want independent observations.
--- Martin Roesch <roeschMD.PRESTIGE.NET> wrote:
> Wow, that's a lot of false alarms. Looks like you've got your portscan
> detector set on a hair trigger there. :) Well, at least it picked up the PHF
> attack with no tweaking required...
>
> -Marty
>
> Daniel Harrison wrote:
> >
> > I just briefly tested sidestep against my home machine, which is running
> snort.
> > I am not an IDS vendor nor am I an IDS tester but here are my results:
> >
> > sidestep command: sidestep my.home.ip -evade -all
> >
> > Snort Version: Version 1.6.3-patch2
> >
> > Log Messages:
> >
> > Dec 7 08:51:57 pimp snort[494]: spp_portscan: PORTSCAN DETECTED from
> > ATTACKER.NET (THRESHOLD 3 connections exceeded in 6 seconds)
> > Dec 7 08:52:01 pimp snort[494]: IDS128 - CVE-1999-0067 - CGI phf attempt:
> > ATTACKER.NET:14006 -> MY.HOME.IP:80
> > Dec 7 08:52:03 pimp snort[494]: spp_portscan: portscan status from
> > ATTACKER.NET: 6 connections across 1 hosts: TCP(3), UDP(3)
> > Dec 7 08:53:48 pimp snort[494]: spp_portscan: portscan status from
> > ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
> > Dec 7 08:54:18 pimp snort[494]: spp_portscan: End of portscan from
> > ATTACKER.NET: TOTAL time(14s) hosts(1) TCP(3) UDP(4)
> >
> > And using: sidestep my.home.ip -evade -rpc
> >
> > snort logged:
> >
> > Dec 7 09:00:01 pimp snort[494]: spp_portscan: portscan status from
> > ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
> >
> > -dan
>
> --
> Martin Roesch
> roeschmd.prestige.net
> http://www.snort.org
=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
- Next message: Robert Graham: "Re: FW: network based IDS"
- Previous message: Bennett Todd: "Re: network based IDS"
- Maybe in reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Maybe reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]