RE: Sniffing is not the easy answer, Kate.

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [Dailydave] Sniffing is not the easy answer, Kate.

> One of the things I think that is going to change the balance of the
equation is a 
> forced honesty among sniffing solutions vendors. For example, CANVAS 7 is
a Service 
> Oriented Architecture. What this means to sniffing companies is that they
never get to 
> see the algorithm that generates our nops. Our shellcode polymorphism
routines can 
> remain hidden, and evolve over short periods of time, and still be used by
a wide 
> number of people.
>
> The internal algorithm that powers an exploit can remain unspoken - you
send us the 
> binary for su, we return you a root shell. It allows for coordination on a
mass scale - 
> if I've hacked 2^16 machines (or some smaller number of networks +
spoofing), I can 
> scan you on each port from a separate IP address.

I hate to be a killjoy (note that people that say this don't actually hate
it, myself included) but I think you're overestimating the impact that this
type of evasion can have on the NIDS product space.

The problem with this model of evasion is that in the state you describe,
it's a faux threat.  It only exists in a contrived environment where we
presume monitoring occurs.  So a sanctioned pen test gets by my NIDS, so
what?  Or if I'm a NIDS vendor, so my product and all but one of my
competitors' products fail this one line item test in an eval, so what?  It
won't be a big deal until it exists in the wild and becomes an actual
threat.  At which point, it will be possible for the algorithm to be
analyzed and low-cost detection for it will be added to the various NIDS
products.  What will be even more fascinating is when the NIDS vendors'
researchers discover an unpredictably common pattern of nop sled that is
unique to your algorithm that lets them write a signature for it. :-)

PaulM