Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Foolin an IDS ?

from [Shaiful] Network Security [Permanent Link]
Subject: RE: Foolin an IDS ?
Date: Wed, 1 Dec 2004 18:06:00 -0800 (PST) 
Hi,

There is a new paper by OK for IDS evasion:

Advanced Polymorphic Worms: Evading IDS by Blending in
with Normal Traffic, by Oleg Kolesnikov, Dave Dagon,
and Wenke Lee, 2004.

http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

Regards,
Shaiful
--- Eric Hines <eric.hines@appliedwatch.com> wrote:


There is a pretty well known paper written by Ptacek
and Newsham "Intrusion
Detection System Insertion, Evasion, and Denial of
ServicE" that outlines
multiple techniques for eluding IDS':
http://secinf.net/info/ids/idspaper/idspaper.html

A tool was created based on the techniques outlined
in this paper called
Fragroute by Dug Song which illegaly fragments your
outbound packets to a
destination host based on how you tell it to
fragment the traffic.
"fragroute intercepts, modifies, and rewrites egress
traffic destined for a
specified host, implementing most of the attacks
described in the Secure
Networks "Insertion, Evasion, and Denial of Service:
Eluding Network
Intrusion Detection" paper of January 1998. It
features a simple ruleset
language to delay, duplicate, drop, fragment,
overlap, print, reorder,
segment, source-route, or otherwise monkey with all
outbound packets
destined for a target host, with minimal support for
randomized or
probabilistic behaviour. "
http://monkey.org/~dugsong/fragroute/ 

I'd also recommend reading about and researching
payload encryptors like
ADMmutate written by ADM. "In a nutshell, this API
can mask buffer overflow
exploit signatures from Network IDS systems so that
they are more difficult
to detect."
README: http://www.ktwo.ca/readme.html
Homepage: http://www.ktwo.ca/security.html

HTH.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, Inc.



------------------------------------------------------------------------


1134 N. Main St.                     Tel: (877)
262-7593 x327
Algonquin, IL                        Fax: (877)
262-7593
60102                                Mobile: (847)
456-6785
http://www.appliedwatch.com          Email:
eric.hines@appliedwatch.com


------------------------------------------------------------------------

"Redefining Open Source Enterprise Management"


------------------------------------------------------------------------




-----Original Message-----
From: Sec Traq [mailto:sectraq@gmail.com] 
Sent: Saturday, November 27, 2004 4:44 PM
To: focus-ids@securityfocus.com
Subject: Foolin an IDS ?



Hi,

I have read a couple of papers on how to fool and
IDS. One of them from
phrack. I find the subject really interesting and am
considering it as an
MSc. project, but i need more advanced and technical
papers. If any1 could
advice ur help would be appriciated.

Thnx



--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from CORE
IMPACT.
Go to


http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.


--------------------------------------------------------------------------






--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from 
CORE IMPACT.
Go to


http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.


--------------------------------------------------------------------------







                
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NIDS and HIDS, Jason Haar
Next by Date:  IDS, IPS and encrypted traffic, Daniel Hamburg
Previous by Thread:  RE: Foolin an IDS ?, Eric Hines
Next by Thread:  RE: Foolin an IDS ?, Maynor, David (ISS Atlanta)
Indexes:  [Date] [Thread] [Top] [All Lists]