June 21st, 2005 07:18 PM
'Stick' IDS stressing tool
geez, can you guys imagine what your Snort logs are going to look like, if anyone suspects that you are using Snort, after the program 'Stick' is released?
all the kiddies are going to be looking to fill up your Snort logs. Not to mention the CPU usage that 'Stick' is reported to cause and the possible shutdown/dropping of packets as a result of a 'Stick' attack
This sounds bad. And if the IDS is not somehow modified to deal with this eventually, 'Stick' would be the perfect pre-attack tool. If your IDS stops dropping packets after a given period of time, what better time to launch an attack!?!?
The 'Stick' website http://www.eurocompton.net/stick/projects8.html says that they are waiting for IDS vendors to make modifications to deal with Stick before it is released, but it looked like they could be talking about the fact that ISS Real Secure v5.5 would turn itself off via error during a 'Stick' session. I wasn't real clear on that.
If Snort is not however, going to be able to make some sort of modifications to deal with 'Stick', then as I said, we are going to all be in big trouble if anyone suspects that we may be using Snort. I'm not sure how you could go about getting around this problem, but I am sure hoping that there will be a way! This tool could actually turn your IDS AGAINST you!