|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: sidestep (was RE: Fooling NIDS)
From: Daniel Harrison (danielh
LOUDCLOUD.COM)Date: Thu Dec 07 2000 - 11:19:40 CST
- Next message: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
- Previous message: Patrick Mueller: "Re: sidestep (was RE: Fooling NIDS)"
- In reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
- Next in thread: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
- Next in thread: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
- Reply: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
- Reply: ME: "Re: sidestep (was RE: Fooling NIDS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Robert Graham wrote:
> BTW, I've been working on an IDS evasion program for awhile. It is
> (temporarily) at:
> http://www.robertgraham.com/tmp/sidestep.html
>
> It does many non-fragrouter IDS evasion techniques. I think most evade
> Snort, but I haven't had a chance to test them out yet. Anyway, I plan on
> writing a more formal paper in January; I was hoping people could run it
> against their favorite NIDS and tell me how it worked. I think most can now
> handle the HTTP evasion technique, and I know ISS can handle the SNMP
> evasion technique, but I'd like to hear more about other NIDS.
>
> Robert Graham
> CTO/Network ICE
>
> PS: in case you were wondering, it doesn't evade BlackICE Sentry :-), but
> that should go without saying.
I just briefly tested sidestep against my home machine, which is running snort.
I am not an IDS vendor nor am I an IDS tester but here are my results:
sidestep command: sidestep my.home.ip -evade -all
Snort Version: Version 1.6.3-patch2
Log Messages:
Dec 7 08:51:57 pimp snort[494]: spp_portscan: PORTSCAN DETECTED from
ATTACKER.NET (THRESHOLD 3 connections exceeded in 6 seconds)
Dec 7 08:52:01 pimp snort[494]: IDS128 - CVE-1999-0067 - CGI phf attempt:
ATTACKER.NET:14006 -> MY.HOME.IP:80
Dec 7 08:52:03 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 6 connections across 1 hosts: TCP(3), UDP(3)
Dec 7 08:53:48 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
Dec 7 08:54:18 pimp snort[494]: spp_portscan: End of portscan from
ATTACKER.NET: TOTAL time(14s) hosts(1) TCP(3) UDP(4)
And using: sidestep my.home.ip -evade -rpc
snort logged:
Dec 7 09:00:01 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
-dan
- Next message: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
- Previous message: Patrick Mueller: "Re: sidestep (was RE: Fooling NIDS)"
- In reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
- Next in thread: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
- Next in thread: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
- Reply: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
- Reply: ME: "Re: sidestep (was RE: Fooling NIDS)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]