Network Intrusion Detection Systems Evasion Techniques – an Investigation Using Snort |
Intrusion Detection Systems (IDS) provide an extra security precaution by detecting attacks that have bypassed the firewall. Snort IDS is one of the most widely used IDS (Siddhart, 2005). When a network is monitored by an IDS, attackers can send evading attack packets that will try avoiding detection. This research conducted experiments testing Snorts alerting capabilities when mutated attack packets where sent to a web server, using an IDS evasion tool called Nikto. It was found that Snort alerted for about half of the attack packets. Weaknesses in Snorts capabilities in detecting certain evasion attacks where found, which can be solved by creating customized rules. The research also proposes a new detection method for Snort, dividing large request strings into smaller ones, analyzing each of them against the rules. The total danger level of these combined strings could decide if Snort would alert for the request.
Ytreberg JA, Papadaki M