An Evasive Attack on SNORT Flowbits
The support of stateful signatures is an important feature of signature-based Network Intrusion Detection Systems (NIDSs) which permits the detection of multi-stage attacks. However, due to the difficulty to completely simulate every application protocol, several NIDS evasion techniques exploit this Achilles' heel, making the NIDS and its protected system see and explain a packet sequence differently. In this paper, the authors propose an evasion technique to the Snort NIDS which exploits its flow-bits feature. They specify the flow-bit evasion attack and provide practical algorithms to solve it with controllable false positives and formally prove their correctness and completeness.