|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Fooling NIDS
From: Crist Clark (crist.clark
GLOBALSTAR.COM)Date: Tue Dec 05 2000 - 13:57:31 CST
- Next message: Jon Gary: "Re: Fooling NIDS"
- Previous message: thiebaut.adsl: "Re: combination of IDS and scanner"
- In reply to: Matías Bevilacqua: "Fooling NIDS"
- Next in thread: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Crist Clark: "Re: Fooling NIDS"
- Reply: Martin Roesch: "Re: Fooling NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Matías Bevilacqua wrote:
>
> This idea has just occured to me (10sec. so don't blame me on it). Has
> someone seen on the wild attackers fooling NIDS systems just to get security
> personel running from host to host while silenlty compromising other systems
> while sec. guys are occupied?
>
> I'm talking about something like nmaps's -D option. Make 20 alarms jump
> while you're randomly hacking at one of those machines. Sure you'll gain
> some a time to conceal your traces.
>
> What about setting off 1000 alarms just for fun? Could we coin that as ADoD
> (Admin DoS)
> ¿Someone seen this out there?
How about Stephane Aubert's IDSwakeup tool?
http://www.hsc.fr/ressources/outils/idswakeup/index.html.en
He had some fun setting off false alarms vendors' IDSs at SANS in Monterey
while he did a unicode exploit on a webserver. I've managed to crash Snort
reliably with it too.
-- Crist J. Clark Network Security Engineer crist.clark
- Next message: Jon Gary: "Re: Fooling NIDS"
- Previous message: thiebaut.adsl: "Re: combination of IDS and scanner"
- In reply to: Matías Bevilacqua: "Fooling NIDS"
- Next in thread: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Crist Clark: "Re: Fooling NIDS"
- Reply: Martin Roesch: "Re: Fooling NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]