Vulnerability Development mailing list archives
Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring)
From: Aaron Turner <synfinatic () gmail com>
Date: Thu, 27 May 2004 22:45:24 -0700
[snip original comments... read the archives if you don't know what this thread is about] Three comments: 1) Yes, playing with dst MAC addresses will work against most if not all inline IPS solutions, and probably every sniffer based IDS... they just don't track that sort of thing, although some do track source MAC's to make sure you're not running ettercap or something like that. About the only solution that might protect against that is a device which runs in a proxy-arp mode, since it would either not receive the packet or would correct the destination MAC before forwarding (in the case of a hw broadcast or hub). 2) Certain current and "state of the art" products can be evaded using other methods which cause them to become out of sync with the victim. Just last week I found a certain IPS vendor who will remain nameless still hasn't figured out how to do proper TCP stream reassembly and proper IP defragmentation. Other even more basic problems exist in various products for which appear to be either pure laziness or attempts to cut corners to boost performance numbers. 3) If you really want to have fun evading IDS you need to be using libnet & libpcap or raw sockets. -AT
Current thread:
- Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Oliver Friedrichs (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring) Aaron Turner (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Mike Frantzen (May 28)
- Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 29)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Srini (May 29)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)