Re: Britney and Kevin are Chaotic

[Matt LeGrow <mlegrow () nfr com>]

Rodney Thayer wrote:

> Then again writing filters to filter on security tools is some sort of 
> semi-narcissistic self-indulgent waste of time that I'm not thrilled 
> any vendor would charge money to deliver.  



I actually think writing filters to detect security tools is fairly 
useful (so long as it can be done with some degree of accuracy) which is 
why we have a "scanners" package.  But that's neither here nor there 
with respect to this update, which relates to the "MSRPC" package.

> Make the damn dog bark when the bad guys are around, not when the dog 
> trainer is around.


I think you misunderstood the original update.  Note the use of the 
words "deal more effectively with advanced obfuscation techniques" 
before we mentioned CANVAS in the NFR release.   Support for 
fragmentation evasion (of the MSRPC variety) was in the product months 
before the CRI was out, thank you very much.  Thats how our MSRPC 
package can normalize fragments tunneled directly through IIS, which 
IIRC CANVAS can't even perform as an evasion trick (yet).

And speaking of narcissism, I thought the whole point of the CRI, and 
presenting at various conventions, was to wake vendors up and get them 
to continually improve their detection, not to pummel them when they 
give Immunity free press by actually integrating CANVAS' evasions into 
testing their product.  Sheesh :-)

Matt LeGrow
NFR Rapid Response Team
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave