OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bill Marquette (wlmarquehewitt.com)
Date: Thu Mar 08 2001 - 07:40:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Just thought this would be of interest to people in this group...in case anyone
    doesn't read FOCUS-IDS also :)
    ---------------------- Forwarded by Bill Marquette/National/Hewitt Associates on
    03/08/2001 07:40 AM ---------------------------

    From: Cortez <coretez8THPORT.COM> on 03/07/2001 03:17 PM

    Please respond to Cortez <coretez8THPORT.COM>

    To: FOCUS-IDSSECURITYFOCUS.COM
    cc:
    Client:
    Subject: Re: Statefull inspection on IDS - Stick

    Over the last couple months I've been finishing up work on a tool called
    stick. I was planning to release a paper in the coming week and the tool in
    a month or two from now when IDS vendors have had time to make modifications
    to handle it.

    The tool uses the Snort rule set and produces a C program via lex that when
    compiled will produce an IP packet capable of triggering that rule from a
    spoofed IP range (or all possible IP addresses) into a target IP range. A
    function is produced for each rule and a loop then executes these rules in a
    random order. The tool currently produces these at about 250 alarms per
    second.

    A Linux based snort will hit 100% CPU and start dropping packets. The
    stress on recording and disk IO is another problem.

    ISS Real Secure dies two seconds after the attack begins. This was tested
    numerous times.

    Other IDS and even sniffers (especially with DNS lookups) had problems of
    their own.

    I will be trying to release the code to IDS vendors over the next couple of
    months in order for them to make changes they see fit. The tool was
    initially designed to test bandwidth and stress on IDS, but it obviously can
    be used in a malicious manner and that is not my intent.

    A draft paper can be seen at http://www.eurocompton.net/stick/ ... please
    ignore the spelling and grammar changes. A more technical paper and
    analysis will hopefully be briefed at Blackhat if DT approves it.

    Coretez G.

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users