IDS mailing list archives
Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
From: Michal Melewski <mike () pn66 poznan sdi tpnet pl>
Date: Fri, 28 May 2004 15:34:04 +0200
Hello
From what i know you haven't discovered anything new. The problem regarding
false MAC adressing was discused in "Eluding ID systems..." from 1998. I admit, that your aproach is more spohisticated and simple "drop all wrong MAC adresses" wouldn't help. In my opinion solution like MAC adress based session reasemblance can help. Generaly IDSes should move into nearly VM that behave like system being under attack but in isolated enviroment and assesing all impacts. This, however is SF for now. (this is short version or my response because i'm in work now, extended version comming out soon) -- Michael "carstein" Melewski | "Humanistą był Kepler, był Liebnitz. carstein () poznan linux org pl | Człowiek definiujący humanizm jako mobile: 502 545 913 | brak umiejętności całkowania gpg: carstein.c.pl/carstein.txt | humanistą nie jest." --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 27)
- Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring) Aaron Turner (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- RE: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring) Bill Royds (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Melewski (May 29)