Re: IDS Assessments....and the I{D|P}S evasion research project

[Sam Gorton <sgorton () skaion com>]

On Wed, Nov 15, 2006 at 04:22:19PM -0500, Joseph McCray wrote:
> Have any of you ever taken the time to develop a list signatures and
> their corresponding tools and/or exploits that actually trigger every
> individual signature the IDS has?

Joe, we did something similar for a client - we picked a single 
exploit and performed a whole set of mangling and evasion tests with 
it.

As a foundation, we used the ISAPI .printer exploit by eEye, which has 
the very useful payload of writing a file on the target system.  If 
the file is there, you know the exploit worked.

To help us automate the correlation, we bound each individual test 
case to a unique source port, and included the source port in the file 
name. (Well, we used N for 9, because the exploit couldn't write a 9, 
but you get the idea).  So that way we knew that for a given suite of 
tests, source port 30000 was test X.

Even if you can't do the rest of it, keying each test case to a source 
port is an enormous help in correlation.

--
Sam Gorton                |   Skaion Corporation
sgorton () skaion com        |   978-251-3963

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------