Penetration Testing mailing list archives
Re: IDS Assessments....and the I{D|P}S evasion research project
From: Sam Gorton <sgorton () skaion com>
Date: Thu, 16 Nov 2006 14:51:51 -0500
On Wed, Nov 15, 2006 at 04:22:19PM -0500, Joseph McCray wrote:
Have any of you ever taken the time to develop a list signatures and their corresponding tools and/or exploits that actually trigger every individual signature the IDS has?
Joe, we did something similar for a client - we picked a single exploit and performed a whole set of mangling and evasion tests with it. As a foundation, we used the ISAPI .printer exploit by eEye, which has the very useful payload of writing a file on the target system. If the file is there, you know the exploit worked. To help us automate the correlation, we bound each individual test case to a unique source port, and included the source port in the file name. (Well, we used N for 9, because the exploit couldn't write a 9, but you get the idea). So that way we knew that for a given suite of tests, source port 30000 was test X. Even if you can't do the rest of it, keying each test case to a source port is an enormous help in correlation. -- Sam Gorton | Skaion Corporation sgorton () skaion com | 978-251-3963 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- IDS Assessments....and the I{D|P}S evasion research project Joseph McCray (Nov 15)
- Re: IDS Assessments....and the I{D|P}S evasion research project Sam Gorton (Nov 16)
- Re: IDS Assessments....and the I{D|P}S evasion research project Eric Hacker (Nov 17)
- Re: IDS Assessments....and the I{D|P}S evasion research project Eric Hacker (Nov 16)
- Re: IDS Assessments....and the I{D|P}S evasion research project Raffael Marty (Nov 20)
- Re: IDS Assessments....and the I{D|P}S evasion research project Sam Gorton (Nov 16)