Dailydave mailing list archives
Re: Britney and Kevin are Chaotic
From: Matt LeGrow <mlegrow () nfr com>
Date: Thu, 26 May 2005 15:08:36 -0400
Dave Aitel wrote:
What sort of protocol designer makes their protocol different over the local named pipe interface and over the remote named pipe interface? An insane evil clown protocol designer, that's who.
You had me at "application layer fragmenting".
I notice NFR has added a module that detects CANVAS's MSRPC evasions ( http://www.nfr.com/solutions/detail.php?id=171).
Ahh, the Dark Lord of the Procedure Call has temporarily muddled your senses. We don't alert just because you're using CANVAS, we just handle it more properly now when the covert bar is cranked way up now (due to a bug, we didn't previously). Mea culpa.
As an aside, client-side MSRPC fragmentation (at least over TCP) appearing on the wire is pretty dubious anyways; i've looked at quite a bit of MSRPC traffic and I certainly haven't seen it occur naturally. Not to say that it *can't*; but it probably *shouldn't*. So maybe just in this one case, it is actually sort of kinda maybe almost okay-ish to just match on the magic bit and cry wolf.
Then again, the IDS industry is the deformed little brother of the information security industry. No matter how much you beat it up, it never gets any prettier. I've always wondered why so many good minds get sucked into it, never to be seen again.
Careful Dave, you're leading to the "half-picked scab" analogy for the Vulnerability Research industry ;-)
Matt LeGrow NFR Rapid Response Team _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Britney and Kevin are Chaotic, (continued)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
- Re: Britney and Kevin are Chaotic dan (May 26)
- Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
- RE: Britney and Kevin are Chaotic El Nahual (May 26)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- RE: Britney and Kevin are Chaotic El Nahual (May 27)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- Re: Britney and Kevin are Chaotic Steve Lord (May 27)