Re: SeolMa

[Dragos Ruiu <dr () kyx net>]

On Wed, 31 Dec 1969, auto241065 () hushmail com wrote:
> What are your thoughts on the IDS evasion method presented in the latest
issue of phrack? Do frag2 and stream4 make the traffic appear to snort the same
way it would arrive at the host, defeating this evasion attempt? My testing
with this method is limited due to the fact that it seems there were errors in
the example code meant to drive me crazy.


I would think that this evasion should have little to do with either stream{n}
or {de}frag{n}, as this sort of urgent flag data insertion is rarely used
in the real world.

I have heard reports that MS Citrix terminal server traffic makes use of
Urgent flags, so this evasion should be more of a pain in the ass for those
kinds of environments as they'll have to go to greater lengths to prefilter
their Citrix traffic from this kind of detection, but given that urgent flags
are very infrquent on the network they should stick out like, hehe, stealth 
nmap scans, or xmas scans, using stick, or any of the other "leet" (not :-)
obfuscations that stick out (oooh bad pun:-) like a sore thumb and typically
start big red flashing lights and alerts. 

A Urgent Insertion IDS Evasion signature might go like:

alert any any -> $HOME_NET any (flags: U; msg: "Possible TCP Urgent Data Insertion Evasion - ref Phrack57";)

Since I'm fortunately Citrix-free, I'm planning on seeing if anything else will
false this rule.  Does anybody with Citrix want to come up with a Citrix
triggered rule that can be used as a pass rule before this, or used 
with a negated content keyword to improve this signature?

cheers,
--dr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users