IDS mailing list archives

Re: IPS Vendor Evasion

From: H D Moore <sflist () digitaloffense net>
Date: Wed, 3 Jan 2007 13:18:53 -0600

We didn't publish any such list of vendors. Every IDS/IPS product I have 
tested has at least one major evasion issue. I won't list what vendors 
these are, but saying the "top 5" wouldn't be far off. Preventing evasion 
is a hard problem and depends on the IPS knowing more about the target 
than the attacker. Two great "whitespace" examples come to mind:

1) Signatures that use \s and \S in their regular expressions. Not every 
text-based service treats the same byte set as "whitespace". The \s match 
often includes characters that things like FTP and SMTP servers don't 
consider white-space. Unless the IDS product is aware of how every vendor 
handles whitespace (and knows what target IP and service is what vendor), 
there is a good chance that any signature containing \s or \S is 
evadeable.

2) HTTP protocol parsers that don't consider all of 0x09, 0x0b, 0x0c, 
0x0d, and 0x20 to be valid whitespace for separating HTTP fields are 
evadable when the target application is hosted on Apache on uses an 
Apache-based reverse proxy. If the IDS does treat all of these characters 
as whitespace, the signatures may still be evadable when a non-Apache 
server is being targeted.

Granted, it is possible to write signatures in a way that neither of these 
cases are issues.

-HD

On Tuesday 02 January 2007 20:49, trav_2 () hotmail com wrote:

At Blackhat HD Moore and Brian Caswell did a presentaion of bypassing
IPS. Maybe I dreamed this but wasn't there a list of vendors that were
and were not bypassed? Maybe it was not HD and Brian that did it. If
there was such a thing where can I find it?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

IPS Vendor Evasion trav_2 (Jan 03)
- RE: IPS Vendor Evasion Kohlenberg, Toby (Jan 03)
- Re: IPS Vendor Evasion H D Moore (Jan 03)
- Re: IPS Vendor Evasion Tim Holman (Jan 03)
  - Re: IPS Vendor Evasion Stefano Zanero (Jan 04)
- Re: IPS Vendor Evasion Stefano Zanero (Jan 03)
- Re: IPS Vendor Evasion jeff . stebelton (Jan 03)
- <Possible follow-ups>
- Re: IPS Vendor Evasion levinson_k (Jan 03)