IDS mailing list archives

RE: Foolin an IDS ?

From: Shaiful <shaifuljahari () yahoo com>
Date: Wed, 1 Dec 2004 18:06:00 -0800 (PST)

Hi,

There is a new paper by OK for IDS evasion:

Advanced Polymorphic Worms: Evading IDS by Blending in
with Normal Traffic, by Oleg Kolesnikov, Dave Dagon,
and Wenke Lee, 2004.

http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

Regards,
Shaiful
--- Eric Hines <eric.hines () appliedwatch com> wrote:

There is a pretty well known paper written by Ptacek
and Newsham "Intrusion
Detection System Insertion, Evasion, and Denial of
ServicE" that outlines
multiple techniques for eluding IDS':
http://secinf.net/info/ids/idspaper/idspaper.html

A tool was created based on the techniques outlined
in this paper called
Fragroute by Dug Song which illegaly fragments your
outbound packets to a
destination host based on how you tell it to
fragment the traffic.
"fragroute intercepts, modifies, and rewrites egress
traffic destined for a
specified host, implementing most of the attacks
described in the Secure
Networks "Insertion, Evasion, and Denial of Service:
Eluding Network
Intrusion Detection" paper of January 1998. It
features a simple ruleset
language to delay, duplicate, drop, fragment,
overlap, print, reorder,
segment, source-route, or otherwise monkey with all
outbound packets
destined for a target host, with minimal support for
randomized or
probabilistic behaviour. "
http://monkey.org/~dugsong/fragroute/ 

I'd also recommend reading about and researching
payload encryptors like
ADMmutate written by ADM. "In a nutshell, this API
can mask buffer overflow
exploit signatures from Network IDS systems so that
they are more difficult
to detect."
README: http://www.ktwo.ca/readme.html
Homepage: http://www.ktwo.ca/security.html

HTH.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, Inc.

------------------------------------------------------------------------


1134 N. Main St.                     Tel: (877)
262-7593 x327
Algonquin, IL                        Fax: (877)
262-7593
60102                                Mobile: (847)
456-6785
http://www.appliedwatch.com          Email:
eric.hines () appliedwatch com

------------------------------------------------------------------------

"Redefining Open Source Enterprise Management"

------------------------------------------------------------------------

-----Original Message-----
From: Sec Traq [mailto:sectraq () gmail com] 
Sent: Saturday, November 27, 2004 4:44 PM
To: focus-ids () securityfocus com
Subject: Foolin an IDS ?

Hi,

I have read a couple of papers on how to fool and
IDS. One of them from
phrack. I find the subject really interesting and am
considering it as an
MSc. project, but i need more advanced and technical
papers. If any1 could
advice ur help would be appriciated.

Thnx

--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from CORE
IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

--------------------------------------------------------------------------

--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from 
CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.

--------------------------------------------------------------------------




                
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Re: Foolin an IDS ? Jose Costa (Dec 01)
- <Possible follow-ups>
- Re: Foolin an IDS ? Jose Nazario (Dec 01)
- Re: Foolin an IDS ? Graeme Connell (Dec 01)
- RE: Foolin an IDS ? Eric Hines (Dec 01)
  - RE: Foolin an IDS ? Shaiful (Dec 02)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 02)
  - Re: Foolin an IDS ? Zyzio (Dec 03)
  - Message not available
    - RE: Foolin an IDS ? Mark Teicher (Dec 06)
  - Re: Foolin an IDS ? Thomas Ptacek (Dec 07)
    - Re: Foolin an IDS ? Pukhraj Singh (Dec 27)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 06)