Vulnerability Development mailing list archives
Re: RPC/TCP Record Marking for IDS Evasion
From: Jeff Nathan <jeff () wwti com>
Date: Sat, 12 Jan 2002 12:16:59 -0800
Dug Song wrote:
On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphen () agitation net wrote:I'm doing some work on parsing RPC protocols as part of my job, and I'm wondering if I've come up with a previously-unknown way of evading IDS for RPC-based attacks.i mentioned (and implemented) this about two years ago. Robert Graham subsequently fixed this in his NetworkICE product, not sure about others: http://archives.neohapsis.com/archives/ids/2000-q1/0007.html http://archives.neohapsis.com/archives/ids/2000-q1/0149.html
Snort's spp_rpc_decode preprocessor will also normalize RPC traffic broken up by record markers. [...]
-d. --- http://www.monkey.org/~dugsong/
-Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein
Current thread:
- RPC/TCP Record Marking for IDS Evasion diphen (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Robert Freeman (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Dug Song (Jan 12)
- Re: RPC/TCP Record Marking for IDS Evasion Jeff Nathan (Jan 12)