[Snort-inline-users] DoS possible with stick attack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

After running a stick attack against snort_inline in stateless mode for=

about an hour  snort_inline dies with the following error.  The problem=

lies in that if you run stick against snort_inline like ./stick -dH
192.168.1.1 it generates a directory for every source IP address that t=
he
attack originates from, with -sH stick generates random ip's.  At least=
 on
my box when I hit 32000 directories snort_inline dies, all traffic bein=
g
passed to queue space isn't ever inspected, and never traverses the bri=
dge
i.e DoS.  what do you guy's think about taring and gziping everything
within /var/log/snort when we hit x number of directories.  This will b=
e a
problem even with stream4 enabled, because we can't inspect state on a
stateless protocol UDP, if somebody crafted a stick attack with purely =
UDP
traffic we would still have a DoS.

detect.c:852: CheckSrcIPEqual: detect.c:904:   Mismatch on SIP
fpdetect.c:508:    =3D> Header check failed, checking next node
fpdetect.c:510:    =3D> returned from next node check
fpdetect.c:416:    =3D> Checking Option Node 1710
fpdetect.c:503: [*] Rule Head 142
detect.c:757: Checking bidirectional rule...
detect.c:424: CheckAddrPort: detect.c:431: SRC detect.c:468: addr 88ec7=
40,
port 49463 detect.c:522: , addresses accepteddetect.c:528: , any port
match, packet accepted
detect.c:762:    Src->Src check passed
detect.c:424: CheckAddrPort: detect.c:451: DST detect.c:468: addr 6401a=
8c0,
port 80 detect.c:518: , no address match,  packet rejected
detect.c:768:    Dst->Dst check failed, checking inverse combination
detect.c:424: CheckAddrPort: detect.c:431: SRC detect.c:468: addr 88ec7=
40,
port 49463 detect.c:518: , no address match,  packet rejected
detect.c:789:    Inverse Dst->Src check failed, trying next rule
fpdetect.c:508:    =3D> Header check failed, checking next node
fpdetect.c:510:    =3D> returned from next node check
fpdetect.c:203:    =3D> Got rule match, rtn type =3D 14
detect.c:402: Triggering responses (nil)
detect.c:1453:         <!!> Generating Alert and dropping! "WEB-MISC ht=
tp
directory traversal"
ERROR: OpenLogFile() =3D> mkdir(/var/log/snort/64.199.142.8) log direct=
ory:
Too many links
Fatal Error, Quitting..

Regards,

Will=