RE: RPC Evasion techniques

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

I would like to make a comment on that paper you cited as it relates to
the test results.

I am impressed by the authors' technology. I believe they are helping to
advance the state of the art in IDS/IPS testing. However, ISS has been
unable to reproduce the results that the authors describe with recent
products. I believe that the authors were using older versions of ISS
products during testing. So far, they have not provided product version
information when asked.

So, I strongly believe that the published results are not a reflection
of the quality of recent ISS product protection. Even so, I still
believe that the results demonstrate the strengths of the authors'
technology to expose limitations in an IDS/IPS product whether or not
the product is still relevant.

Paul

-----Original Message-----
From: Pukhraj Singh [mailto:pukhraj.singh () gmail com] 
Sent: Monday, October 31, 2005 7:28 AM
To: tcp fin
Cc: focus-ids () securityfocus com
Subject: Re: RPC Evasion techniques


Lot of things can be done to evade IPS/IDS.

The tricks vary from protcol to protocol. The difference in the decoding
mechanism of security appliance and the application server can lead to
many evasion techniques. I have created and tested many mutant exploits
and they worked beautifully. The idea is to strike and exploit some
fundamental concepts of logic and protocols which IDS/IPS makers tend to
ignore or is simply beyond their device capability

Apparently, I haven't documented and organized the work I did.

But here is an introductory paper you should definitely read:
http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti
_CCS04.pdf

--Pukhraj Singh


On 10/27/05, tcp fin <inet_inaddr () yahoo com> wrote:
> Hi Guys ,
> Any tips and tricks or good article on IDS/IPS evasion
> ?
> I have beautiful paper "Insertion, Evasion and Denial
> of Service:
> Eluding Network Intrusion detection".
> I need some pointers on RPC based  evasion techniques.
>
> Regards,
> TCP FIN .
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------