Re: CyberCop Monitor NT 2.5

[bugtraq () NETWORKICE COM (Robert Graham)]

The "evasion" paper by "NAI" was actually created by Secure Networks, the
authors of the "Ballista" scanner (now CyberCop Scanner) product. To some
extent it was a white paper designed to convince people of the value of
scanners over IDSs. (Whitepapers aren't necessarily lies; you can bludgeon
the competition with facts, too).

Network General (Sniffer folks) created CyberCop Monitor v1.0 from
technology licensed from WheelGroup. McAfee Associates bought Network
General (forming Network Associates) at roughly the same time that Cisco
bought WheelGroup. After getting into a licensing snafu with Cisco (long
story there), NAI basically had to pull CyberCop Monitor off the market for
the time specified in the contract and create a new product from scratch
(now known as v2.x, which is completely unrelated to v1.x).

The evasion paper talks mostly about techniques at the raw TCP and IP
layers. An example would be to "desynchronize" a TCP connection: send a FIN
packet with a TTL so that the packet is seen by the IDS (which closes its
tables) but which gets dropped by a router before reaching the victim. This
allows an attacker to continue using a connection to attack the victim that
the IDS falsely believes is closed.

Whisker uses evasion techniques at the application layer rather than
transport layers. The following URLs are equivelent as far as the HTTP
server is concerned:
http://www.example.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
http://www.example.com/cgi-bin/./phf?Qalias=x%0a/bin/cat%20/etc/passwd
http://www.example.com/cgi-bin/x/../phf?Qalias=x%0a/bin/cat%20/etc/passwd
http://www.example.com/%63gi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
A lot of IDSs cannot detect the "signature" if it doesn't exactly match the
pattern they are looking for (which in this case would be "/cgi-bin/phf").

The marketing message from some IDS vendors has been that such attacks are
"purely theoretical" and not a practical worry. The anti-evasion
capabilities of an IDS is something you will have to evaluate yourself. On
one hand, utilities like "whisker" and "fragrouter" are at the "script
kiddy" level of sophistication; it doesn't take a genius to use them (you
could easily use them when evaluating an IDS). On the other hand, most
script kiddies don't do anything more complex than what they believe to be
"stealth" TCP scans (half-open scans that virtually all IDSs detect).

More information on attacking the IDS or evading it can be found at:
http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.3
http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.4
http://www.robertgraham.com/pubs/network-intrusion-detection.html#9.5

Robert Graham
CTO/Network ICE

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of
dr_erik_wright () GMX NET
Sent: Tuesday, May 23, 2000 4:51 PM
To: BUGTRAQ () securityfocus com
Subject: CyberCop Monitor NT 2.5

While playing with whisker's IDS evasion features, I determined that some
of the techniques employed are effective against Cybercop Monitor 2.5 on the
Windows NT platform.

This came as a great surprise to me since my company chose this product
because of the IDS evasion paper that Network Associates released a few
years
ago. They don't seem to practice what they preach, just like every other
commercial security solution.

After doing some searching, I noticed that ISS Realsecure had a similar
problem that was reported on bugtraq a few months ago.

Thanks a bunch ISS and Network Associates.

--
Sent through Global Message Exchange - http://www.gmx.net