RE: interesting paper on testing sig-based IDS

["Kyle Quest" <Kyle.Quest () networkengines com>]

Mick,
Have you thought about using fragroute/fragrouter for that???
They do a good job with TCP. It seems like that's what you
are asking for when you talk about TCP in your email

Kyle

-----Original Message-----
From: buineach [mailto:securesolutions () gmail com]
Sent: Tuesday, March 01, 2005 6:59 PM
To: Jonathon Giffin
Cc: Kohlenberg, Toby; focus-ids () lists securityfocus com; Shai Rubin
Subject: Re: interesting paper on testing sig-based IDS


Hi
I just joined this forum so apologies if this has been asked/answered before.

Is this tool available to the general public as I do a lot of IPS
testing and would like to verify further the framentation and TCP
segment handling of these inline products. ?
I have been assuming that all current IPS products have mechanisms to
deal with evasion techniques like this but as the NSS testing results
show a lot of current IPS solutions are nothing more than the offline
IDS they were before with many signatures disabled with 2 NIC's.

A real concern I have with inline IPS that depend on a central CPU to
deal with fragmentation and segmentation evasion is that an overload
attack with this traffic will make the IPS the weakest link in the
network.
I have ruled out many IPS vendors based on using ISIC through the IPS
but would like to have a more specific tool to deal with TCP segment
shifting with metasploit framework for example to see who fails here.

Any info appreciated.

Mick



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------