IDS mailing list archives

Re: RPC Evasion techniques

From: Pukhraj Singh <pukhraj.singh () gmail com>
Date: Fri, 4 Nov 2005 02:50:49 +0530

So, I strongly believe that the published results are not a
reflection of the quality of recent ISS product protection.


Can't comment on that.

Even so, I still  believe that the results demonstrate the
strengths of the authors'  technology to expose limitations in
an IDS/IPS product whether or not  the product is still relevant.


I concur. The tid-bits about these issues were known for quite a while
now, it's just that the scope of these discussions were primarily
limited to the developer's desk. Now, as the security appliances are
actually doing some advanced protocol decoding and lexical analysis,
these issues become very important.

I think the authors are also planning for the public release of the
exploit mutation tool.

-Regards
 Pukhraj




On 11/4/05, Palmer, Paul (ISSAtlanta) <PPalmer () iss net> wrote:

I would like to make a comment on that paper you cited as it relates to
the test results.

I am impressed by the authors' technology. I believe they are helping to
advance the state of the art in IDS/IPS testing. However, ISS has been
unable to reproduce the results that the authors describe with recent
products. I believe that the authors were using older versions of ISS
products during testing. So far, they have not provided product version
information when asked.

So, I strongly believe that the published results are not a reflection
of the quality of recent ISS product protection. Even so, I still
believe that the results demonstrate the strengths of the authors'
technology to expose limitations in an IDS/IPS product whether or not
the product is still relevant.

Paul

-----Original Message-----
From: Pukhraj Singh [mailto:pukhraj.singh () gmail com]
Sent: Monday, October 31, 2005 7:28 AM
To: tcp fin
Cc: focus-ids () securityfocus com
Subject: Re: RPC Evasion techniques


Lot of things can be done to evade IPS/IDS.

The tricks vary from protcol to protocol. The difference in the decoding
mechanism of security appliance and the application server can lead to
many evasion techniques. I have created and tested many mutant exploits
and they worked beautifully. The idea is to strike and exploit some
fundamental concepts of logic and protocols which IDS/IPS makers tend to
ignore or is simply beyond their device capability

Apparently, I haven't documented and organized the work I did.

But here is an introductory paper you should definitely read:
http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti
_CCS04.pdf

--Pukhraj Singh


On 10/27/05, tcp fin <inet_inaddr () yahoo com> wrote:

Hi Guys ,
Any tips and tricks or good article on IDS/IPS evasion
?
I have beautiful paper "Insertion, Evasion and Denial
of Service:
Eluding Network Intrusion detection".
I need some pointers on RPC based  evasion techniques.

Regards,
TCP FIN .




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.

------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Re: RPC Evasion techniques Nakul Aggarwal (Nov 03)
- <Possible follow-ups>
- Re: RPC Evasion techniques Pukhraj Singh (Nov 03)
  - Re: RPC Evasion techniques crazy frog crazy frog (Nov 07)
    - Re: RPC Evasion techniques Pukhraj Singh (Nov 07)
- RE: RPC Evasion techniques Palmer, Paul (ISSAtlanta) (Nov 07)
  - Re: RPC Evasion techniques Pukhraj Singh (Nov 07)
  - Re: RPC Evasion techniques Jonathon Giffin (Nov 08)