IDS mailing list archives
RE: interesting paper on testing sig-based IDS
From: "Micheal Reynolds" <mreynolds () dublin com>
Date: Sat, 05 Mar 2005 05:10:58 -0500
Kyle I thought fragroute only did fragmentation and that most stateful IPS should handle this easily because you cannot determin the application until you see the first frsagment and it cannot be forwarded until you know what the overall length is. So it is really the ability to send traffic in out of order TCP segment wise that is where I a m having trouble doing this for traffic sent via metasploit. I will look more closely at fragroute/fragrouter if it has this ability. Thanks Mick ----- Original Message ----- From: "Kyle Quest" <Kyle.Quest () networkengines com> To: focus-ids () lists securityfocus com Subject: RE: interesting paper on testing sig-based IDS Date: Thu, 3 Mar 2005 08:48:34 -0500
Mick, Have you thought about using fragroute/fragrouter for that??? They do a good job with TCP. It seems like that's what you are asking for when you talk about TCP in your email Kyle -----Original Message----- From: buineach [mailto:securesolutions () gmail com] Sent: Tuesday, March 01, 2005 6:59 PM To: Jonathon Giffin Cc: Kohlenberg, Toby; focus-ids () lists securityfocus com; Shai Rubin Subject: Re: interesting paper on testing sig-based IDS Hi I just joined this forum so apologies if this has been asked/answered before. Is this tool available to the general public as I do a lot of IPS testing and would like to verify further the framentation and TCP segment handling of these inline products. ? I have been assuming that all current IPS products have mechanisms to deal with evasion techniques like this but as the NSS testing results show a lot of current IPS solutions are nothing more than the offline IDS they were before with many signatures disabled with 2 NIC's. A real concern I have with inline IPS that depend on a central CPU to deal with fragmentation and segmentation evasion is that an overload attack with this traffic will make the IPS the weakest link in the network. I have ruled out many IPS vendors based on using ISIC through the IPS but would like to have a more specific tool to deal with TCP segment shifting with metasploit framework for example to see who fails here. Any info appreciated. Mick -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: interesting paper on testing sig-based IDS, (continued)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Shai Rubin (Mar 02)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Giovanni Vigna (Mar 02)
- Re: interesting paper on testing sig-based IDS Stefano Zanero (Mar 04)
- Re: interesting paper on testing sig-based IDS Richard Bejtlich (Mar 02)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 04)
- RE: interesting paper on testing sig-based IDS Jose Maria Lopez Hernandez (Mar 06)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 06)
- RE: interesting paper on testing sig-based IDS Brian Smith (Mar 06)
- RE: interesting paper on testing sig-based IDS Micheal Reynolds (Mar 06)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)