Mucking Around with Barnyard

“…Since a NIDS that performs a stateful TCP inspection (e.g., [3,14]) uses acknowledgments to update its internal TCP state, different orderings of attack packets and acknowledgments induce different TCP states. Hence, even with a limited ability to influence the ordering between attack packets and victim's acknowledgments, an attacker can create an ordering that induces a TCP state in which a NIDS misses an attack (e.g., Snort Evasive-RST vulnerability, Section 6.1).…”

Automatic Generation and Analysis of NIDS Attacks

“…Since a NIDS that performs a stateful TCP inspection (e.g., [3,14]) uses acknowledgments to update its internal TCP state, different orderings of attack packets and acknowledgments induce different TCP states. Hence, even with a limited ability to influence the ordering between attack packets and victim's acknowledgments, an attacker can create an ordering that induces a TCP state in which a NIDS misses an attack (e.g., Snort Evasive-RST vulnerability, Section 6.1).…”

Automatic Generation and Analysis of NIDS Attacks

“…Snort, a widelyused NIDS [3,28], represents a signature using a set of attributes: packet attributes, like a packet length, and pattern attributes, like a regular expression defined over the attack bytes. A Snort signature corresponds to a single attack event; it does not (and probably cannot) model the entire attack since Snort does not facilitate composition of rules (except for the ability to dynamically invoke rules for logging purposes).…”

Language-Based Generation and Evaluation of NIDS Signatures