NIDS evasion techniques

[Jonathan Askew JBASKEW <JBASKEW () uncg edu>]

Here is the situation. I have been trying to use fragrouter as well as
fragroute to test evasion of a network IDS, specifically Snort. I have
tried starting fragrouter, then running an nmap scan with  SYN scan,
version detection, and a range of ports defined, but Snort detects the
scan. I have tried using the various fragmentation options but no luck.
Using fragroute I have had more success. I can run fragroute and start the
same nmap scan. Snort reports truncated tcp options and warnings of a data
offset but does not report any portscan traffic. I am using the latest
version of snort with updated rule set running on Ubuntu.

Is there any way to keep fragroute from generating alerts with snort? Are
there any guides on using fragroute and/or fragrouter for IDS evasion? I
searched around but was not able to produce anything other than the man
page and a few references. Is there a better method I should be looking in
to in order to avoid detection?



Thanks,
Blake