Full Disclosure mailing list archives
Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
From: Aaron Turner <synfinatic () gmail com>
Date: Thu, 27 May 2004 22:45:24 -0700
[snip original comments... read the archives if you don't know what this thread is about] Three comments: 1) Yes, playing with dst MAC addresses will work against most if not all inline IPS solutions, and probably every sniffer based IDS... they just don't track that sort of thing, although some do track source MAC's to make sure you're not running ettercap or something like that. About the only solution that might protect against that is a device which runs in a proxy-arp mode, since it would either not receive the packet or would correct the destination MAC before forwarding (in the case of a hw broadcast or hub). 2) Certain current and "state of the art" products can be evaded using other methods which cause them to become out of sync with the victim. Just last week I found a certain IPS vendor who will remain nameless still hasn't figured out how to do proper TCP stream reassembly and proper IP defragmentation. Other even more basic problems exist in various products for which appear to be either pure laziness or attempts to cut corners to boost performance numbers. 3) If you really want to have fun evading IDS you need to be using libnet & libpcap or raw sockets. -AT _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IDS WIth TCP Reset and SPAN Dain Deutschman (May 25)
- Re: IDS WIth TCP Reset and SPAN dila (May 26)
- Re: IDS WIth TCP Reset and SPAN Ron DuFresne (May 27)
- Re: IDS WIth TCP Reset and SPAN Jason (May 27)
- Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 27)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Aaron Turner (May 27)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Oliver Friedrichs (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Srini (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Mike Frantzen (May 28)
- Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- Re: IDS WIth TCP Reset and SPAN dila (May 26)
- <Possible follow-ups>
- RE: IDS WIth TCP Reset and SPAN Robert MacDonald (May 27)
- RE: IDS WIth TCP Reset and SPAN Ron DuFresne (May 27)
- IDS WIth TCP Reset and SPAN Phathat (May 27)