OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stuart Staniford (stuartsilicondefense.com)
Date: Thu Mar 08 2001 - 11:06:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Avleen Vig wrote:
    >
    > > A Linux based snort will hit 100% CPU and start dropping packets. The
    > > stress on recording and disk IO is another problem.
    >
    > Errrrrrmm.. what specs are we talking about?
    > This is very vague... It's like saying "The earth is big"... but how big? compared to
    > the galaxy it's tiny, and compared to a worm it's enormous.

    Seems like it's sort of irrelevant whether the IDS drops packets; its
    output is useless anyway when attacked by this kind of tool. We (Jim
    Hoagland and I) thought of this possibility quite a bit when we were
    writing a paper about Snortsnarf recently. Tools like Snortsnarf help with
    this situation, but only some. If the attacker can genuinely randomize
    every field in the attack packets, a single point sensor is going to have
    an extremely difficult time coming up with a meaningful diagnosis of the
    problem.

    As the author of stick points out, being more stateful helps some. It
    makes it hard for an attacker tool to make the attacks look like they come
    from everywhere at once. This allows a well-designed console to isolate
    the flood of alerts from bogus alerts. On the other hand, if you are
    stateful, and someone does something abusive looking towards your state,
    you probably ought to alert on it..., this allows an attacker to create an
    attack flood across many IPs, but limited to certain signatures. And if an
    attacker can sniff packets on the network he is attacking, then he can
    produce a stick-equivalent even for a stateful IDS.

    It seems to me the only way this kind of thing can be handled fully is by
    distributed detection and correlation (which is very much a research
    problem at present).

    Folks interested in this might also want to read

    http://www.silicondefense.com/pptntext/snortsnarf-discex2.pdf

    Finally, a piece of ancient history. The first use of this kind of attack
    that I heard of (third hand) was that Tsutomo Shimomura was hired to do a
    Red Team attack on the NIDES intrusion detection system that SRI had built
    for the Navy. He overwhelmed it with alerts (NIDES produced a separate
    window on the console for every alert - ouch) before carrying out his
    attack.

    Stuart. 

    -- 
Stuart Staniford  ---  President  ---  Silicon Defense
stuartsilicondefense.com  http://www.silicondefense.com/
(707) 445-4355                     (707) 445-4222 (FAX)

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users