Title :
An evasive attack on SNORT flowbits
Author :
Tran, Tung ; Aib, Issam ; Al-Shaer, Ehab ; Boutaba, Raouf
Author_Institution :
Univ. of Waterloo, Waterloo, ON, Canada
Abstract :
The support of stateful signatures is an important feature of signature-based Network Intrusion Detection Systems (NIDSs) which permits the detection of multi-stage attacks. However, due to the difficulty to completely simulate every application protocol, several NIDS evasion techniques exploit this Achilles´ heel, making the NIDS and its protected system see and explain a packet sequence differently. In this paper, we propose an evasion technique to the Snort NIDS which exploits its flowbits feature. We specify the flowbit evasion attack and provide practical algorithms to solve it with controllable false positives and formally prove their correctness and completeness. We implemented a tool called SFET which can automatically parse a Snort rule set, generate all possible sequences that can evade it, as well as produce a patch to guard the rule set against those evasions. Although Snort was used for illustration, both the evasion attack and the solution to it are applicable to any stateful signature-based NIDS.
Keywords :
computer network security; transport protocols; Achilles heel; IP fragmentation; NIDS evasion techniques; SFET; SNORT flowbits; TCP segmentation; application protocol; flowbit evasion attack; multistage attack detection; packet sequence; signature-based network intrusion detection systems; snort rule set; Complexity theory; Doped fiber amplifiers; Engines; IP networks; Payloads; Protocols; Servers;
Conference_Titel :
Network Operations and Management Symposium (NOMS), 2012 IEEE
Conference_Location :
Maui, HI
Print_ISBN :
978-1-4673-0267-8
Electronic_ISBN :
1542-1201
DOI :
10.1109/NOMS.2012.6211918
