IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: sidestep

From: "Golomb, Gary" <GGolomb () enterasys com>
Date: Wed, 30 Apr 2003 07:41:44 -0400



For those that don't know, the tool works by allowing you to chose

which

type of attack you want, for example RPC, DNS, FTP etc and then run it
with a switch such as -evade, which will perform the attack on the box
and attempt to "evade" the IDS. The URL is
http://www.robertgraham.com/tmp/sidestep.html

Now I have run the tool with all of the possible attacks and it has
worked fine, but it doesn't always manage to evade snort.



Most all IDSes on the market nowadays can decode/detect these tactics.
When Robert released the tool, the concepts were quite novel, however
that was several years ago now. I doubt you'll have any luck "evading"
IDSes with sidestep. On the other hand, using the methods employed by
sidestep to create a "proxy" (like the earlier versions of fragrouter)
would probably yield much different results though. :) ie: Something
that obfuscates all RPC, DNS, etc. traffic which passes through it.
Also, there are several other protocols which are subject to the same
types of obfuscations that are not implemented in sidestep. SMB is one
such example. 


So I am writing up the results of this for a project I am doing at Uni
however, when it comes explaining how this tool tries to evade the

IDS,

I can't because, I don't know, and there seems to be no documentation

to

explain how it is working, and I can't look at the source code.



The best way to figure it out is to look at the packets on the wire!

Also, these two papers look at the DNS and RPC portions of the tool.
https://dragon.enterasys.com/wp/DNS_Evasion.pdf
https://dragon.enterasys.com/wp/RPC_Evasion.pdf

-gary



-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: