IDS mailing list archives
Re: Firewall-fooling techniques
From: Göran Sandahl <goran () gsandahl net>
Date: Sun, 13 Feb 2005 00:00:31 +0100
Thank you for all the replys! I've read some posts at SecurityFocus (I've been trying to dig for a reference, but I've can't seem to find it again) regarding the different techniques stated in the urls and whitepapers that some of you supplied. [1] [2] The post at securitfocus said something like "all these attacks are old, and aren't likely to be used anymore". All the material I've got is from 2002 and back (all the way to 1998, and thats 7 years ago, hard to believe). So, are polymorphic shellcode, fragmentation and basic stringmatching weaknessses "up-to-date" methods of fooling IDS's? Or, can someone please in short terms describe what kind of traffic IDSs have problem detecting today. And how will the bad guys do it tomorrow? Thanks in advance! Cheers Göran Sandahl [1] http://www.securityfocus.com/infocus/1577 [2] http://citeseer.nj.nec.com/ptacek98insertion.html -- Göran Sandahl location: stockholm, sweden mail: goran () gsandahl net web: http://gsandahl.net On Tuesday 25 January 2005 02.37, Don Parker wrote:
You may want to look into shellcode obfuscation. While it may not fool every IDS out there it certainly fools a great many analysts. -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Mon Jan 24 13:48 , Krzysztof Cabaj sent:Hi,I'm looking for some basic information on "techniques" on "fooling" >firewalls and IDSs. Like using fragmented packages to fool packet-filtering firewalls etc.. Any suggestions on such techniques, and perhaps some references to online litterature.. ?I think this is good begining ... maybe not recent, but for beginning perfect. T.H Ptacek, T.N. Newsham.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, January 1998, URL:http://citeseer.nj.nec.com/ptacek98insertion.html And some for application layer Whisker library for fooling IDS which look at HTTP traffic. http://www.ussrback.com/docs/papers/IDS/whiskerids.html Best regards, Chris -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------------------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- Göran Sandahl location: stockholm, sweden mail: goran () gsandahl net web: http://gsandahl.net -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Firewall-fooling techniques Göran Sandahl (Feb 16)
- Re: Firewall-fooling techniques Richard Bejtlich (Feb 20)