Thank you for all the replys!
I've read some posts at SecurityFocus (I've been trying to dig for a
reference, but I've can't seem to find it again) regarding the different
techniques stated in the urls and whitepapers that some of you supplied. [1]
[2] The post at securitfocus said something like "all these attacks are old,
and aren't likely to be used anymore". All the material I've got is from 2002
and back (all the way to 1998, and thats 7 years ago, hard to believe). So,
are polymorphic shellcode, fragmentation and basic stringmatching weaknessses
"up-to-date" methods of fooling IDS's? Or, can someone please in short terms
describe what kind of traffic IDSs have problem detecting today. And how
will the bad guys do it tomorrow?
Thanks in advance!
Cheers
Göran Sandahl
[1] http://www.securityfocus.com/infocus/1577
[2] http://citeseer.nj.nec.com/ptacek98insertion.html
--
Göran Sandahl
location: stockholm, sweden
mail: goran@gsandahl.net
web: http://gsandahl.net
On Tuesday 25 January 2005 02.37, Don Parker wrote:
You may want to look into shellcode obfuscation. While it may not fool
every IDS out there it certainly fools a great many analysts.
--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------
On Mon Jan 24 13:48 , Krzysztof Cabaj sent:
Hi,
I'm looking for some basic information on "techniques" on
"fooling" >firewalls
and IDSs. Like using fragmented packages to fool packet-filtering
firewalls
etc.. Any suggestions on such techniques, and perhaps some
references to
online litterature.. ?
I think this is good begining ... maybe not recent, but for
beginning perfect.
T.H Ptacek, T.N. Newsham.: Insertion, Evasion, and Denial of
Service: Eluding Network Intrusion Detection, January 1998,
URL:http://citeseer.nj.nec.com/ptacek98insertion.html
And some for application layer
Whisker library for fooling IDS which look at HTTP traffic.
http://www.ussrback.com/docs/papers/IDS/whiskerids.html
Best regards,
Chris
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--
Göran Sandahl
location: stockholm, sweden
mail: goran@gsandahl.net
web: http://gsandahl.net
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
