IDS mailing list archives
Re: IPS Vendor Evasion
From: H D Moore <sflist () digitaloffense net>
Date: Wed, 3 Jan 2007 13:18:53 -0600
We didn't publish any such list of vendors. Every IDS/IPS product I have tested has at least one major evasion issue. I won't list what vendors these are, but saying the "top 5" wouldn't be far off. Preventing evasion is a hard problem and depends on the IPS knowing more about the target than the attacker. Two great "whitespace" examples come to mind: 1) Signatures that use \s and \S in their regular expressions. Not every text-based service treats the same byte set as "whitespace". The \s match often includes characters that things like FTP and SMTP servers don't consider white-space. Unless the IDS product is aware of how every vendor handles whitespace (and knows what target IP and service is what vendor), there is a good chance that any signature containing \s or \S is evadeable. 2) HTTP protocol parsers that don't consider all of 0x09, 0x0b, 0x0c, 0x0d, and 0x20 to be valid whitespace for separating HTTP fields are evadable when the target application is hosted on Apache on uses an Apache-based reverse proxy. If the IDS does treat all of these characters as whitespace, the signatures may still be evadable when a non-Apache server is being targeted. Granted, it is possible to write signatures in a way that neither of these cases are issues. -HD On Tuesday 02 January 2007 20:49, trav_2 () hotmail com wrote:
At Blackhat HD Moore and Brian Caswell did a presentaion of bypassing IPS. Maybe I dreamed this but wasn't there a list of vendors that were and were not bypassed? Maybe it was not HD and Brian that did it. If there was such a thing where can I find it?
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IPS Vendor Evasion trav_2 (Jan 03)
- RE: IPS Vendor Evasion Kohlenberg, Toby (Jan 03)
- Re: IPS Vendor Evasion H D Moore (Jan 03)
- Re: IPS Vendor Evasion Tim Holman (Jan 03)
- Re: IPS Vendor Evasion Stefano Zanero (Jan 04)
- Re: IPS Vendor Evasion Stefano Zanero (Jan 03)
- Re: IPS Vendor Evasion jeff . stebelton (Jan 03)
- <Possible follow-ups>
- Re: IPS Vendor Evasion levinson_k (Jan 03)