Metasploit mailing list archives

IPS Filter plugin

From: suryak_batchu at yahoo.com (Surya Batchu)
Date: Thu, 31 May 2007 00:09:25 -0700 (PDT)

Thank you for the response. I appreciate it very much.

Surya

----- Original Message ----
From: H D Moore <hdm at metasploit.com>
To: framework at metasploit.com
Sent: Wednesday, May 30, 2007 10:23:02 PM
Subject: Re: [framework] IPS Filter plugin

This plugin is to prevent you from triggering a specific signature by 
accident - you still have to configure your exploit in such a way that it 
performs the bypass.

Most of the framework exploits were developed with IPS evasion in mind. 
For example, instead of lots of "AAAA", we use a random string generation 
function. We try to randomize as much of the traffic we send as possible 
and have been known to reject module submissions that dont meet this 
criteria. With that said, there are still exceptions (lpd exploits, for 
example), but these are a matter of time, not policy :-)

If you want to see the full list of evasion options for a given exploit, 
use the "show evasions" and "show advanced" command. Since different 
options only work for some exploits and some IDS/IPS products, and these 
vendors constantly change their detection, we don't provide any 
recommended settings.

-HD

On Wednesday 30 May 2007 23:50, Surya Batchu wrote:

From the description of  presentations on MetaSploit, I thought that
IPS filter plugin is meant for evading detection by IPS devices and yet
exploit would be successful. I thought of using this feature to test
the effectiveness of IPS devices by populating patterns used by snort
signatures.

From the plug-in code, I understand that the  buffer having one of
matching patterns is not sent out.  I did not see any framework support
or modules support to recreate buffer with new content.  If that is the
case, isn't it as good as not running the exploit?

Can this plugin be used to test the effectiveness of IPS devices? If
this plugin is not meant for this, are there any ways to configure or
extend framework such a way that payloads don't have pre-configured
patterns?






      ____________________________________________________________________________________
Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center.
http://autos.yahoo.com/green_center/

Current thread:

IPS Filter plugin Surya Batchu (May 30)
- IPS Filter plugin H D Moore (May 30)
- <Possible follow-ups>
- IPS Filter plugin Surya Batchu (May 31)