Bugtraq mailing list archives
Re: CyberCop Monitor NT 2.5
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 24 May 2000 18:42:33 -0700
The "evasion" paper by "NAI" was actually created by Secure Networks, the authors of the "Ballista" scanner (now CyberCop Scanner) product. To some extent it was a white paper designed to convince people of the value of scanners over IDSs. (Whitepapers aren't necessarily lies; you can bludgeon the competition with facts, too). Network General (Sniffer folks) created CyberCop Monitor v1.0 from technology licensed from WheelGroup. McAfee Associates bought Network General (forming Network Associates) at roughly the same time that Cisco bought WheelGroup. After getting into a licensing snafu with Cisco (long story there), NAI basically had to pull CyberCop Monitor off the market for the time specified in the contract and create a new product from scratch (now known as v2.x, which is completely unrelated to v1.x). The evasion paper talks mostly about techniques at the raw TCP and IP layers. An example would be to "desynchronize" a TCP connection: send a FIN packet with a TTL so that the packet is seen by the IDS (which closes its tables) but which gets dropped by a router before reaching the victim. This allows an attacker to continue using a connection to attack the victim that the IDS falsely believes is closed. Whisker uses evasion techniques at the application layer rather than transport layers. The following URLs are equivelent as far as the HTTP server is concerned: http://www.example.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd http://www.example.com/cgi-bin/./phf?Qalias=x%0a/bin/cat%20/etc/passwd http://www.example.com/cgi-bin/x/../phf?Qalias=x%0a/bin/cat%20/etc/passwd http://www.example.com/%63gi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd A lot of IDSs cannot detect the "signature" if it doesn't exactly match the pattern they are looking for (which in this case would be "/cgi-bin/phf"). The marketing message from some IDS vendors has been that such attacks are "purely theoretical" and not a practical worry. The anti-evasion capabilities of an IDS is something you will have to evaluate yourself. On one hand, utilities like "whisker" and "fragrouter" are at the "script kiddy" level of sophistication; it doesn't take a genius to use them (you could easily use them when evaluating an IDS). On the other hand, most script kiddies don't do anything more complex than what they believe to be "stealth" TCP scans (half-open scans that virtually all IDSs detect). More information on attacking the IDS or evading it can be found at: http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.3 http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.4 http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.5 Robert Graham CTO/Network ICE -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of dr_erik_wright () GMX NET Sent: Tuesday, May 23, 2000 4:51 PM To: BUGTRAQ () securityfocus com Subject: CyberCop Monitor NT 2.5 While playing with whisker's IDS evasion features, I determined that some of the techniques employed are effective against Cybercop Monitor 2.5 on the Windows NT platform. This came as a great surprise to me since my company chose this product because of the IDS evasion paper that Network Associates released a few years ago. They don't seem to practice what they preach, just like every other commercial security solution. After doing some searching, I noticed that ISS Realsecure had a similar problem that was reported on bugtraq a few months ago. Thanks a bunch ISS and Network Associates. -- Sent through Global Message Exchange - http://www.gmx.net
Current thread:
- CyberCop Monitor NT 2.5 dr_erik_wright () GMX NET (May 23)
- Gauntlet Exploit proof gramble none (May 24)
- Re: CyberCop Monitor NT 2.5 Robert Graham (May 24)