IDS mailing list archives
RE: Foolin an IDS ?
From: Shaiful <shaifuljahari () yahoo com>
Date: Wed, 1 Dec 2004 18:06:00 -0800 (PST)
Hi, There is a new paper by OK for IDS evasion: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, by Oleg Kolesnikov, Dave Dagon, and Wenke Lee, 2004. http://www.cc.gatech.edu/~ok/w/ok_pw.pdf Regards, Shaiful --- Eric Hines <eric.hines () appliedwatch com> wrote:
There is a pretty well known paper written by Ptacek and Newsham "Intrusion Detection System Insertion, Evasion, and Denial of ServicE" that outlines multiple techniques for eluding IDS': http://secinf.net/info/ids/idspaper/idspaper.html A tool was created based on the techniques outlined in this paper called Fragroute by Dug Song which illegaly fragments your outbound packets to a destination host based on how you tell it to fragment the traffic. "fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. " http://monkey.org/~dugsong/fragroute/ I'd also recommend reading about and researching payload encryptors like ADMmutate written by ADM. "In a nutshell, this API can mask buffer overflow exploit signatures from Network IDS systems so that they are more difficult to detect." README: http://www.ktwo.ca/readme.html Homepage: http://www.ktwo.ca/security.html HTH. Best Regards, Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, Inc.
------------------------------------------------------------------------
1134 N. Main St. Tel: (877) 262-7593 x327 Algonquin, IL Fax: (877) 262-7593 60102 Mobile: (847) 456-6785 http://www.appliedwatch.com Email: eric.hines () appliedwatch com
------------------------------------------------------------------------
"Redefining Open Source Enterprise Management"
------------------------------------------------------------------------
-----Original Message----- From: Sec Traq [mailto:sectraq () gmail com] Sent: Saturday, November 27, 2004 4:44 PM To: focus-ids () securityfocus com Subject: Foolin an IDS ? Hi, I have read a couple of papers on how to fool and IDS. One of them from phrack. I find the subject really interesting and am considering it as an MSc. project, but i need more advanced and technical papers. If any1 could advice ur help would be appriciated. Thnx
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Foolin an IDS ? Jose Costa (Dec 01)
- <Possible follow-ups>
- Re: Foolin an IDS ? Jose Nazario (Dec 01)
- Re: Foolin an IDS ? Graeme Connell (Dec 01)
- RE: Foolin an IDS ? Eric Hines (Dec 01)
- RE: Foolin an IDS ? Shaiful (Dec 02)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 02)
- Re: Foolin an IDS ? Zyzio (Dec 03)
- Message not available
- RE: Foolin an IDS ? Mark Teicher (Dec 06)
- Re: Foolin an IDS ? Thomas Ptacek (Dec 07)
- Re: Foolin an IDS ? Pukhraj Singh (Dec 27)
- RE: Foolin an IDS ? Maynor, David (ISS Atlanta) (Dec 06)