IDS mailing list archives
Re: RPC Evasion techniques
From: Pukhraj Singh <pukhraj.singh () gmail com>
Date: Fri, 4 Nov 2005 02:50:49 +0530
So, I strongly believe that the published results are not a reflection of the quality of recent ISS product protection.
Can't comment on that.
Even so, I still believe that the results demonstrate the strengths of the authors' technology to expose limitations in an IDS/IPS product whether or not the product is still relevant.
I concur. The tid-bits about these issues were known for quite a while now, it's just that the scope of these discussions were primarily limited to the developer's desk. Now, as the security appliances are actually doing some advanced protocol decoding and lexical analysis, these issues become very important. I think the authors are also planning for the public release of the exploit mutation tool. -Regards Pukhraj On 11/4/05, Palmer, Paul (ISSAtlanta) <PPalmer () iss net> wrote:
I would like to make a comment on that paper you cited as it relates to the test results. I am impressed by the authors' technology. I believe they are helping to advance the state of the art in IDS/IPS testing. However, ISS has been unable to reproduce the results that the authors describe with recent products. I believe that the authors were using older versions of ISS products during testing. So far, they have not provided product version information when asked. So, I strongly believe that the published results are not a reflection of the quality of recent ISS product protection. Even so, I still believe that the results demonstrate the strengths of the authors' technology to expose limitations in an IDS/IPS product whether or not the product is still relevant. Paul -----Original Message----- From: Pukhraj Singh [mailto:pukhraj.singh () gmail com] Sent: Monday, October 31, 2005 7:28 AM To: tcp fin Cc: focus-ids () securityfocus com Subject: Re: RPC Evasion techniques Lot of things can be done to evade IPS/IDS. The tricks vary from protcol to protocol. The difference in the decoding mechanism of security appliance and the application server can lead to many evasion techniques. I have created and tested many mutant exploits and they worked beautifully. The idea is to strike and exploit some fundamental concepts of logic and protocols which IDS/IPS makers tend to ignore or is simply beyond their device capability Apparently, I haven't documented and organized the work I did. But here is an introductory paper you should definitely read: http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti _CCS04.pdf --Pukhraj Singh On 10/27/05, tcp fin <inet_inaddr () yahoo com> wrote:Hi Guys , Any tips and tricks or good article on IDS/IPS evasion ? I have beautiful paper "Insertion, Evasion and Denial of Service: Eluding Network Intrusion detection". I need some pointers on RPC based evasion techniques. Regards, TCP FIN . __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.------------------------------------------------------------------------------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: RPC Evasion techniques Nakul Aggarwal (Nov 03)
- <Possible follow-ups>
- Re: RPC Evasion techniques Pukhraj Singh (Nov 03)
- Re: RPC Evasion techniques crazy frog crazy frog (Nov 07)
- Re: RPC Evasion techniques Pukhraj Singh (Nov 07)
- Re: RPC Evasion techniques crazy frog crazy frog (Nov 07)
- RE: RPC Evasion techniques Palmer, Paul (ISSAtlanta) (Nov 07)
- Re: RPC Evasion techniques Pukhraj Singh (Nov 07)
- Re: RPC Evasion techniques Jonathon Giffin (Nov 08)