Re: Britney and Kevin are Chaotic

[Matt LeGrow <mlegrow () nfr com>]

Dave Aitel wrote:

> What sort of protocol designer makes their protocol different over the 
> local named pipe interface and over the remote named pipe interface? 
> An insane evil clown protocol designer, that's who. 


You had me at "application layer fragmenting".

> I notice NFR has added a module that detects CANVAS's MSRPC evasions ( 
> http://www.nfr.com/solutions/detail.php?id=171). 


Ahh, the Dark Lord of the Procedure Call has temporarily muddled your 
senses.  We don't alert just because you're using CANVAS, we just handle 
it more properly now when the covert bar is cranked way up now (due to a 
bug, we didn't previously).  Mea culpa.

As an aside, client-side MSRPC fragmentation (at least over TCP) 
appearing on the wire is pretty dubious anyways; i've looked at quite a 
bit of MSRPC traffic and I certainly haven't seen it occur naturally. 
Not to say that it *can't*; but it probably *shouldn't*.  So maybe just 
in this one case, it is actually sort of kinda maybe almost okay-ish to 
just match on the magic bit and cry wolf.

> Then again, the IDS industry is the deformed little brother of the 
> information security industry. No matter how much you beat it up, it 
> never gets any prettier. I've always wondered why so many good minds 
> get sucked into it, never to be seen again.


Careful Dave, you're leading to the "half-picked scab" analogy for the 
Vulnerability Research industry ;-)

Matt LeGrow
NFR Rapid Response Team
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave