Security Basics mailing list archives
RE: NIDS evasion techniques
From: "Sandeep Romana" <sandeepr () cdac in>
Date: Wed, 20 Feb 2008 11:05:29 +0530
Hi Blake, I am very new to security field so in advance excuse me for innocence. Instead of active scanning with nmap etc you can try for passive scanning. Hope that can help you. Sandeep -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jonathan Askew JBASKEW Sent: 19 February 2008 05:42 To: security-basics () securityfocus com Subject: NIDS evasion techniques Here is the situation. I have been trying to use fragrouter as well as fragroute to test evasion of a network IDS, specifically Snort. I have tried starting fragrouter, then running an nmap scan with SYN scan, version detection, and a range of ports defined, but Snort detects the scan. I have tried using the various fragmentation options but no luck. Using fragroute I have had more success. I can run fragroute and start the same nmap scan. Snort reports truncated tcp options and warnings of a data offset but does not report any portscan traffic. I am using the latest version of snort with updated rule set running on Ubuntu. Is there any way to keep fragroute from generating alerts with snort? Are there any guides on using fragroute and/or fragrouter for IDS evasion? I searched around but was not able to produce anything other than the man page and a few references. Is there a better method I should be looking in to in order to avoid detection? Thanks, Blake
Current thread:
- NIDS evasion techniques Jonathan Askew JBASKEW (Feb 19)
- <Possible follow-ups>
- RE: NIDS evasion techniques Sandeep Romana (Feb 20)