Network Security: Detailed info on Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frame

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frame

from [Michal Zalewski] Network Security

[Permanent Link]

Subject:	Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
Date:	Fri, 28 May 2004 18:21:39 +0200 (CEST)

On Fri, 28 May 2004, Jim Bauer wrote:

The IDS will see not see a valid response to the "DATA" command (that is
never received) so it will know it is still in SMTP command mode.  Even
if your not-so-smart IDS let this slip by, there is still the issue of
"DEBUG" not being in a valid format for a header.


Which is precisely what I stated in the next paragraph. This is a naive
example, but illustrates w far broader and non-SMTP-specific problem quite
well. There are various protocols or attack vectors that do not involve
challenge-response communications (even the problem of distinguishing
between message body and message headers can be an example).

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-28 18:19 --

   http://lcamtuf.coredump.cx/photo/current/

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-Disclosure] IDS WIth TCP Reset and SPAN, Dain Deutschman Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, dila Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Ron DuFresne Re: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Jason [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring), Michal Zalewski Re: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring), Aaron Turner [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Jim Bauer Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Michal Zalewski <= [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Oliver Friedrichs [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Jim Bauer [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Mike Frantzen Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Michal Zalewski [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Srini RE: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Robert MacDonald RE: [Full-Disclosure] IDS WIth TCP Reset and SPAN, Ron DuFresne [Full-Disclosure] IDS WIth TCP Reset and SPAN, Phathat

Previous by Date:	Re: [Full-Disclosure] Imaging Operating Systems, Frank Knobbe
Next by Date:	[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Oliver Friedrichs
Previous by Thread:	[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Jim Bauer
Next by Thread:	[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Oliver Friedrichs
Indexes:	[Date] [Thread] [Top] [All Lists]