IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: interesting paper on testing sig-based IDS

From: "Micheal Reynolds" <mreynolds () dublin com>
Date: Sat, 05 Mar 2005 05:10:58 -0500
Kyle

I thought fragroute only did fragmentation and that most stateful IPS should handle this easily because you cannot 
determin the application until you see the first frsagment and it cannot be forwarded until you know what the overall 
length is.

So it is really the ability to send traffic in out of order TCP segment wise that is where I a m having trouble doing 
this for traffic sent via metasploit.

I will look more closely at fragroute/fragrouter if it has this ability.

Thanks
Mick
----- Original Message -----
From: "Kyle Quest" <Kyle.Quest () networkengines com>
To: focus-ids () lists securityfocus com
Subject: RE: interesting paper on testing sig-based IDS
Date: Thu, 3 Mar 2005 08:48:34 -0500



Mick,
Have you thought about using fragroute/fragrouter for that???
They do a good job with TCP. It seems like that's what you
are asking for when you talk about TCP in your email

Kyle

-----Original Message-----
From: buineach [mailto:securesolutions () gmail com]
Sent: Tuesday, March 01, 2005 6:59 PM
To: Jonathon Giffin
Cc: Kohlenberg, Toby; focus-ids () lists securityfocus com; Shai Rubin
Subject: Re: interesting paper on testing sig-based IDS


Hi
I just joined this forum so apologies if this has been asked/answered before.

Is this tool available to the general public as I do a lot of IPS
testing and would like to verify further the framentation and TCP
segment handling of these inline products. ?
I have been assuming that all current IPS products have mechanisms to
deal with evasion techniques like this but as the NSS testing results
show a lot of current IPS solutions are nothing more than the offline
IDS they were before with many signatures disabled with 2 NIC's.

A real concern I have with inline IPS that depend on a central CPU to
deal with fragmentation and segmentation evasion is that an overload
attack with this traffic will make the IPS the weakest link in the
network.
I have ruled out many IPS vendors based on using ISIC through the IPS
but would like to have a more specific tool to deal with TCP segment
shifting with metasploit framework for example to see who fails here.

Any info appreciated.

Mick



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------


-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: