RE: Snort exploits

["Grimes, Roger" <RogerG () GoldKeyresorts com>]

Not to get even further off topic...but I will...to support Draqos.

The whole IDS evasion thing mimics the scanners vs. virus writers war.  I've
been doing antivirus work since 1989 and I have heard that virus writers
were going to polymorph, encrypt, oli-this, poly-that since before there
were 100 viruses.  Nobody, not even the AV vendors thought that scanners
would still be fighting the good fight (and winning 99.999% of the time)
when 30,000+ viruses and worms appeared.  Virus scanners would run out of
memory, wouldn't be able to keep up with the signatures, would end up with
too many false-positives, would run so slow nobody would use them, etc.  But
the truth is fingerprint scanning (no matter how flawed) still works and I
hear less about AV scanner deaths every year...and when I do hear it's from
the vendors themselves...and guess what they have the new solution sitting
in the wings ready to go.  I see the same pattern in IDS...heck, yeah, the
black hatters will develop more sophisticated hacks...and the white hatters
will fight back...SUCCESSFULLY.

With that said, there are some viruses today that scare the mess out of the
good AV guys...ones that scare them and keep them up at night.  And DDoS
"Reflection" attacks???...if you're not scared you don't understand the
problem.  But the good guys will respond and life will go on as usual.

Just my one cent.

Roger A. Grimes

***************************************************************************
*Roger A. Grimes, VP of IT for GK/PHR Holding Company
*Gold Key Resorts and Professional Hospitality Resources
*email:  rogerg () goldkeyresorts com
*ph: 757-491-2101 x403
*fax:757-491-6550
*932 Laskin Road, Virginia Beach, VA 23451
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
***************************************************************************


;-----Original Message-----
;From: Dragos Ruiu [mailto:dr () kyx net]
;Sent: Wednesday, April 17, 2002 12:08 AM
;To: 0xcafebabe () hushmail com
;Cc: bugtraq () securityfocus com; pen-test () securityfocus com;
;snort-devel () snort org; roesch () sourcefire com; natasha () snort org
;Subject: Re: Snort exploits


;Heh, well... first... don't panic. :-)

;I was actually expecting him to release fragroute on the CanSecWest
conference CD,
;for his talk on it there and am preparing some appropriate counter measures
for the 
;variant of snort I was going to put on there.  Been kinda swamped with
conference 
;preparations so please do not ask me for any of this in advance of the
conference.
;Odds are now that this info has gone out snort cvs will have fixes for this
;in a matter of hours or days...

;The TCP evasions are fairly easily detectable as overlaps should not
normally occur.
;I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly
to 
;address this. It is just a matter of slightly more rigorous alerting and

;To everyone else:
;The game of evasion and coutermeasures is the snake eating its tail and you

;shouldn't be naive and assume that there aren't other evasions out there
because 
;there are _always_ other obfuscations and countermeasures, and then
detectors for 
;--dr