IDS mailing list archives
RE: sidestep
From: "Golomb, Gary" <GGolomb () enterasys com>
Date: Wed, 30 Apr 2003 07:41:44 -0400
For those that don't know, the tool works by allowing you to chose
which
type of attack you want, for example RPC, DNS, FTP etc and then run it with a switch such as -evade, which will perform the attack on the box and attempt to "evade" the IDS. The URL is http://www.robertgraham.com/tmp/sidestep.html Now I have run the tool with all of the possible attacks and it has worked fine, but it doesn't always manage to evade snort.
Most all IDSes on the market nowadays can decode/detect these tactics. When Robert released the tool, the concepts were quite novel, however that was several years ago now. I doubt you'll have any luck "evading" IDSes with sidestep. On the other hand, using the methods employed by sidestep to create a "proxy" (like the earlier versions of fragrouter) would probably yield much different results though. :) ie: Something that obfuscates all RPC, DNS, etc. traffic which passes through it. Also, there are several other protocols which are subject to the same types of obfuscations that are not implemented in sidestep. SMB is one such example.
So I am writing up the results of this for a project I am doing at Uni however, when it comes explaining how this tool tries to evade the
IDS,
I can't because, I don't know, and there seems to be no documentation
to
explain how it is working, and I can't look at the source code.
The best way to figure it out is to look at the packets on the wire! Also, these two papers look at the DNS and RPC portions of the tool. https://dragon.enterasys.com/wp/DNS_Evasion.pdf https://dragon.enterasys.com/wp/RPC_Evasion.pdf -gary ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Brian (May 06)
- <Possible follow-ups>
- Re: sidestep Randy Taylor (May 04)
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Randy Taylor (May 06)
- Re: sidestep Jill Tovey (May 04)
- RE: sidestep Golomb, Gary (May 04)
- RE: sidestep Jill Tovey (May 04)
- Re: sidestep Judy Novak (May 06)
- Re: sidestep Jill Tovey (May 06)
- Re: sidestep Martin Roesch (May 06)
- RE: sidestep Jill Tovey (May 04)