Dailydave mailing list archives
RE: Sniffing is not the easy answer, Kate.
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 11 Oct 2005 10:46:32 -0400
-----Original Message----- Subject: [Dailydave] Sniffing is not the easy answer, Kate.
One of the things I think that is going to change the balance of the
equation is a
forced honesty among sniffing solutions vendors. For example, CANVAS 7 is
a Service
Oriented Architecture. What this means to sniffing companies is that they
never get to
see the algorithm that generates our nops. Our shellcode polymorphism
routines can
remain hidden, and evolve over short periods of time, and still be used by
a wide
number of people. The internal algorithm that powers an exploit can remain unspoken - you
send us the
binary for su, we return you a root shell. It allows for coordination on a
mass scale -
if I've hacked 2^16 machines (or some smaller number of networks +
spoofing), I can
scan you on each port from a separate IP address.
I hate to be a killjoy (note that people that say this don't actually hate it, myself included) but I think you're overestimating the impact that this type of evasion can have on the NIDS product space. The problem with this model of evasion is that in the state you describe, it's a faux threat. It only exists in a contrived environment where we presume monitoring occurs. So a sanctioned pen test gets by my NIDS, so what? Or if I'm a NIDS vendor, so my product and all but one of my competitors' products fail this one line item test in an eval, so what? It won't be a big deal until it exists in the wild and becomes an actual threat. At which point, it will be possible for the algorithm to be analyzed and low-cost detection for it will be added to the various NIDS products. What will be even more fascinating is when the NIDS vendors' researchers discover an unpredictably common pattern of nop sled that is unique to your algorithm that lets them write a signature for it. :-) PaulM
Current thread:
- Sniffing is not the easy answer, Kate. Dave Aitel (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Ron Gula (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Paul Melson (Oct 11)
- RE: Sniffing is not the easy answer, Kate. Sash (Oct 11)
- Re: Sniffing is not the easy answer, Kate. byte_jump (Oct 11)
- Re: Sniffing is not the easy answer, Kate. Andrew R. Reiter (Oct 11)