IDS mailing list archives

Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)

From: Michal Melewski <mike () pn66 poznan sdi tpnet pl>
Date: Fri, 28 May 2004 15:34:04 +0200

Hello

From what i know you haven't discovered anything new. The problem regarding

false MAC adressing was discused in "Eluding ID systems..." from 1998.
I admit, that your aproach is more spohisticated and simple "drop all wrong
MAC adresses" wouldn't help. In my opinion solution like MAC adress based
session reasemblance can help.
Generaly IDSes should move into nearly VM that behave like system being under
attack but in isolated enviroment and assesing all impacts. This, however is
SF for now.

(this is short version or my response because i'm in work now, extended
version comming out soon)

-- 
Michael "carstein" Melewski      |  "Humanistą był Kepler, był Liebnitz.
carstein () poznan linux org pl          |   Człowiek definiujący humanizm jako
mobile: 502 545 913              |   brak umiejętności całkowania
gpg: carstein.c.pl/carstein.txt  |   humanistą nie jest."

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 27)
- Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring) Aaron Turner (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- RE: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring) Bill Royds (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Melewski (May 29)