Tool Allows For Bypassing IDS's

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

> From a bugtraq posting today:
 
"I didn't see it posted to these lists, but yesterday Dug Song quietly
released a tool on the focus-ids list which totally blindsides Snort -
http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort
file contains several fragroute scripts which blindside even the
current Snort version in CVS, tested on RedHat 7.2. For example, the
latest wu-ftpd exploits run through the one line "tcp_seg 1 new"  
don't trigger any Snort alerts at all."
 
What does Dug have to say about his tool?  From the above url:
 
"fragroute intercepts, modifies, and rewrites egress traffic destined
for a specified host, implementing most of the attacks described in
the Secure Networks "Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection" paper of January 1998.

It features a simple ruleset language to delay, duplicate, drop,
fragment, overlap, print, reorder, segment, source-route, or otherwise
monkey with all outbound packets destined for a target host, with
minimal support for randomized or probabilistic behaviour.

This tool was written in good faith to aid in the testing of network
intrusion detection systems, firewalls, and basic TCP/IP stack
behaviour. Please do not abuse this software."
 
All the more reason for admins to not be reliant on IDS systems and to
add another layer to their security structure.

Props to Dug for keeping proof of concept alive.
 
-aj.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.