Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring)

[Aaron Turner <synfinatic () gmail com>]

[snip original comments... read the archives if you don't know what
this thread is about]

Three comments:
1) Yes, playing with dst MAC addresses will work against most if not
all inline IPS solutions, and probably every sniffer based IDS... they
just don't track that sort of thing, although some do track source
MAC's to make sure you're not running ettercap or something like that.
 About the only solution that might protect against that is a device
which runs in a proxy-arp mode, since it would either not receive the
packet or would correct the destination MAC before forwarding (in the
case of a hw broadcast or hub).

2) Certain current and "state of the art" products can be evaded using
other methods which cause them to become out of sync with the victim. 
Just last week I found a certain IPS vendor who will remain nameless
still hasn't figured out how to do proper TCP stream reassembly and
proper IP defragmentation.  Other even more basic problems exist in
various products for which appear to be either pure laziness or
attempts to cut corners to boost performance numbers.

3) If you really want to have fun evading IDS you need to be using
libnet & libpcap or raw sockets.

-AT