Re: RPC Evasion techniques

Well, people have implemented a few techniques. But these techniques,
if used on a standalone basis can lead to a lot of false positives.
The randomized NOP sleds generated by ADMutate can be detected. See
this paper: 
http://www.cgisecurity.com/lib/polymorphic_shellcodes_vs_app_IDSs.PDF
The same technique has been implemented in NIDSFindshellcode and
Prelude IDS. Snort's fnord shellcode detection pre-processor also
tries to detect these alternate NOP instruction sequence and when the
count hits a specific trigger limit, it declares an alarm. These
techniques when subjected to large binary data streams generate a lot
of false positives.
I would say, if the device is doing enchanced protocol parsing there
is even no need to detect shellcode. It would detect a malicious
attack even before that.

On 11/4/05, crazy frog crazy frog <i.m.crazy.frog@gmail.com> wrote:
> hi,
> does current ids/ips are able to detect attacks such as polymorphic
> shell code(adm mutent) or any other such techniques?
> _CF
> --
> bam bam
> ting ding ting ding ting ding
> ting ding ting ding ding
> i m crazy frog :)
> "oh yeah oh yeah...
>  another wannabe, in hackerland!!!"
>
> On 10/31/05, Pukhraj Singh <pukhraj.singh@gmail.com> wrote:
> > Lot of things can be done to evade IPS/IDS.
> >
> > The tricks vary from protcol to protocol. The difference in the
> > decoding mechanism of security appliance and the application server
> > can lead to many evasion techniques. I have created and tested many
> > mutant exploits and they worked beautifully. The idea is to strike and
> > exploit some  fundamental concepts of logic and protocols which
> > IDS/IPS makers tend to ignore or is simply beyond their device
> > capability
> >
> > Apparently, I haven't documented and organized the work I did.
> >
> > But here is an introductory paper you should definitely read:
> > http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti_CCS04.pdf
> >
> > --Pukhraj Singh
> >
> >
> > On 10/27/05, tcp fin <inet_inaddr@yahoo.com> wrote:
> > > Hi Guys ,
> > > Any tips and tricks or good article on IDS/IPS evasion
> > > ?
> > > I have beautiful paper "Insertion, Evasion and Denial
> > > of Service:
> > > Eluding Network Intrusion detection".
> > > I need some pointers on RPC based  evasion techniques.
> > >
> > > Regards,
> > > TCP FIN .
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > > http://mail.yahoo.com
> > >
> > > ------------------------------------------------------------------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it
> > > with real-world attacks from CORE IMPACT.
> > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > > to learn more.
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ------------------------------------------------------------------------
>
>
> -

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------