RE: NIDS evasion techniques

["Sandeep Romana" <sandeepr () cdac in>]

Hi Blake,

I am very new to security field so in advance excuse me for innocence.

Instead of active scanning with nmap etc you can try for passive scanning.
Hope that can help you. 

Sandeep




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jonathan Askew JBASKEW
Sent: 19 February 2008 05:42
To: security-basics () securityfocus com
Subject: NIDS evasion techniques


Here is the situation. I have been trying to use fragrouter as well as
fragroute to test evasion of a network IDS, specifically Snort. I have
tried starting fragrouter, then running an nmap scan with  SYN scan,
version detection, and a range of ports defined, but Snort detects the
scan. I have tried using the various fragmentation options but no luck.
Using fragroute I have had more success. I can run fragroute and start the
same nmap scan. Snort reports truncated tcp options and warnings of a data
offset but does not report any portscan traffic. I am using the latest
version of snort with updated rule set running on Ubuntu.

Is there any way to keep fragroute from generating alerts with snort? Are
there any guides on using fragroute and/or fragrouter for IDS evasion? I
searched around but was not able to produce anything other than the man
page and a few references. Is there a better method I should be looking in
to in order to avoid detection?



Thanks,
Blake