Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPC/TCP Record Marking for IDS Evasion

From: Jeff Nathan <jeff () wwti com>
Date: Sat, 12 Jan 2002 12:16:59 -0800
Dug Song wrote:


On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphen () agitation net wrote:


I'm doing some work on parsing RPC protocols as part of my job, and I'm
wondering if I've come up with a previously-unknown way of evading IDS
for RPC-based attacks.


i mentioned (and implemented) this about two years ago. Robert Graham
subsequently fixed this in his NetworkICE product, not sure about others:

        http://archives.neohapsis.com/archives/ids/2000-q1/0007.html
        http://archives.neohapsis.com/archives/ids/2000-q1/0149.html



Snort's spp_rpc_decode preprocessor will also normalize RPC traffic
broken up by record markers.


[...]



-d.

---
http://www.monkey.org/~dugsong/


-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
Previous By Date Next
Previous By Thread Next

Current thread: