We didn't publish any such list of vendors. Every IDS/IPS product I have
tested has at least one major evasion issue. I won't list what vendors
these are, but saying the "top 5" wouldn't be far off. Preventing evasion
is a hard problem and depends on the IPS knowing more about the target
than the attacker. Two great "whitespace" examples come to mind:
1) Signatures that use \s and \S in their regular expressions. Not every
text-based service treats the same byte set as "whitespace". The \s match
often includes characters that things like FTP and SMTP servers don't
consider white-space. Unless the IDS product is aware of how every vendor
handles whitespace (and knows what target IP and service is what vendor),
there is a good chance that any signature containing \s or \S is
evadeable.
2) HTTP protocol parsers that don't consider all of 0x09, 0x0b, 0x0c,
0x0d, and 0x20 to be valid whitespace for separating HTTP fields are
evadable when the target application is hosted on Apache on uses an
Apache-based reverse proxy. If the IDS does treat all of these characters
as whitespace, the signatures may still be evadable when a non-Apache
server is being targeted.
Granted, it is possible to write signatures in a way that neither of these
cases are issues.
-HD
On Tuesday 02 January 2007 20:49, trav_2@hotmail.com wrote:
At Blackhat HD Moore and Brian Caswell did a presentaion of bypassing
IPS. Maybe I dreamed this but wasn't there a list of vendors that were
and were not bypassed? Maybe it was not HD and Brian that did it. If
there was such a thing where can I find it?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
