An evasive attack on SNORT flowbits

The support of stateful signatures is an important feature of signature-based Network Intrusion Detection Systems (NIDSs) which permits the detection of multi-stage attacks. However, due to the difficulty to completely simulate every application protocol, several NIDS evasion techniques exploit this Achilles´ heel, making the NIDS and its protected system see and explain a packet sequence differently. In this paper, we propose an evasion technique to the Snort NIDS which exploits its flowbits feature. We specify the flowbit evasion attack and provide practical algorithms to solve it with controllable false positives and formally prove their correctness and completeness. We implemented a tool called SFET which can automatically parse a Snort rule set, generate all possible sequences that can evade it, as well as produce a patch to guard the rule set against those evasions. Although Snort was used for illustration, both the evasion attack and the solution to it are applicable to any stateful signature-based NIDS.