NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2000-q4

Subject: sidestep (was RE: Fooling NIDS)
From: Robert Graham (robert_david_grahamYAHOO.COM)
Date: Tue Dec 05 2000 - 21:47:01 CST

Next message: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Previous message: Randy Taylor: "Re: network based IDS"
In reply to: Crist Clark: "Re: Fooling NIDS"
Next in thread: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Jon Gary: "Re: Fooling NIDS"
Reply: Robert Graham: "sidestep (was RE: Fooling NIDS)"
Reply: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Patrick Mueller: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

BTW, I've been working on an IDS evasion program for awhile. It is
(temporarily) at:
http://www.robertgraham.com/tmp/sidestep.html

It does many non-fragrouter IDS evasion techniques. I think most evade
Snort, but I haven't had a chance to test them out yet. Anyway, I plan on
writing a more formal paper in January; I was hoping people could run it
against their favorite NIDS and tell me how it worked. I think most can now
handle the HTTP evasion technique, and I know ISS can handle the SNMP
evasion technique, but I'd like to hear more about other NIDS.

Robert Graham
CTO/Network ICE

PS: in case you were wondering, it doesn't evade BlackICE Sentry :-), but
that should go without saying.

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

Next message: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Previous message: Randy Taylor: "Re: network based IDS"
In reply to: Crist Clark: "Re: Fooling NIDS"
Next in thread: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Jon Gary: "Re: Fooling NIDS"
Reply: Robert Graham: "sidestep (was RE: Fooling NIDS)"
Reply: Mark McLaughlin: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Patrick Mueller: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Reply: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]