Intrusion Detection Systems mailing list archives
RE: RE: NFR DDOS problems
From: Justin.Linton () guardent com
Date: Thu, 10 May 2001 16:56:00 -0400
Archive: http://msgs.securepoint.com/ids FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owner () uow edu au NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au ----------------------------------------------------------------------------- Hello: Stick uses a snort rule base to create the attack but you could customize the rule base so that it is common to IDS filters across different vendors ie. the back orifice filter and other filters that almost all IDS have. Take a look at this url. http://www.eurocompton.net/stick/ Justin
-----Original Message----- From: Jeff Nathan [mailto:jeff () wwti com] Sent: May 10, 2001 3:51 PM To: Justin.Linton () guardent com Cc: JStClair () vredenburg com; ids () uow edu au Subject: Re: IDS: RE: NFR DDOS problems I'm a bit curious if this will even work against NFR as the intial implementaion was simply designed to attack snort's alerting mechanism and non-statefulness. Have you tested NFR with stick? Justin.Linton () guardent com wrote:Archive: http://msgs.securepoint.com/ids FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owner () uow edu au NOTE: Remove this section from reply msgs otherwise the msgwill bounce.SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au-------------------------------------------------------------- ---------------Hello James: Do you mean will it start dropping packets if it is DDOSed? If you want to stress test NFR try Stick against it. You can get it at securityfocus.com in their tools section. "Stick uses the Snort rule set and produces a C program vialex that whencompiled will produce an IP packet capable of triggeringthat rule from aspoofed IP range (or all possible IP addresses) into atarget IP range. Afunction is produced for each rule and a loop then executesthese rules in arandom order. The tool currently produces these at about250 alarms persecond." Security Focus Web site. Of course this would depend on the n-code you haveenabled and how youhave it set to alert. Best Regards, Justin Linton Security Consultant ____________________________________________ G U A R D E N T C A N A D A Security | Privacy | Data Protection-----Original Message----- From: St. Clair, James [mailto:JStClair () vredenburg com] Sent: May 8, 2001 2:11 PM To: 'ids () uow edu au' Subject: IDS: NFR DDOS problemsAny one hear of potential DDO problems with NFR, in particular stacheldracht? Appreciate any feedback.. Jim-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein
Current thread:
- NFR DDOS problems St. Clair, James (May 09)
- <Possible follow-ups>
- RE: NFR DDOS problems Anish M (EHPT) (May 09)
- RE: NFR DDOS problems Justin . Linton (May 09)
- Re: RE: NFR DDOS problems Jeff Nathan (May 10)
- RE: RE: NFR DDOS problems St. Clair, James (May 10)
- RE: RE: NFR DDOS problems Justin . Linton (May 10)
- Re: RE: NFR DDOS problems Jeff Nathan (May 11)