NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2000-q4

Subject: Re: sidestep (was RE: Fooling NIDS)
From: Ben Carr (bcarrINTRUSION.COM)
Date: Thu Dec 07 2000 - 16:44:43 CST

Next message: Michael Davis: "Re: network based IDS"
Previous message: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Maybe in reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
Next in thread: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Jon Gary: "Re: Fooling NIDS"
Maybe reply: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Trying to stay away from promoting a product but SecureNet Pro supports
multi-path IP fragment and TCP segment reassembly, configurable on a
per-host basis.

Ben Carr

-----Original Message-----
From: Mark McLaughlin [mailto:mmclaughlinsilverbacktech.com]
Sent: Wednesday, December 06, 2000 9:11 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: sidestep (was RE: Fooling NIDS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Hello,

Tuesday, December 05, 2000, 10:47:01 PM, you wrote:

RG> BTW, I've been working on an IDS evasion program for awhile. It is
RG> (temporarily) at:
RG> http://www.robertgraham.com/tmp/sidestep.html

In your description of sidestep.exe you mention that you "know only two
network
IDSs that correctly resolve overlapping TCP or IP fragments on a
per-host basis."

I would imagine that Black Ice is one, what is the other?

- -Mark

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAOi7/yMnEFVVI7KKjAQE1wQf+KCyvvmPM3CYv2uDpyXP7AY2PJVjuGPV3
GbuhsTcHEafXvtVgcNkIYslUARwcSzabg7Hv4E+7wCoWd/20AVkmPK/8xguaHgiK
czq+R6tG6PK0tWc4AwpmneOxK2nOZayZ2/OIJA1gOZAT8EfFusURdiDsAbUpTxkX
kgu5wTv1Jy7MimZGn0YeXbW+UQXmZxVo5yDegzVkb9uVu/j+ubL0K9r6qez8j9XL
/APvGMmpCbIBw7LD/vRppsizyhdIe89oHraljV3GQAj+62P3vXxB2TzCg3WGngig
ImVjrk/+CKGYPe8XqTuHYTC24kBaQJlAV763N3dP93kHjH5mPb15NQ==
=m4aP
-----END PGP SIGNATURE-----

Next message: Michael Davis: "Re: network based IDS"
Previous message: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Maybe in reply to: Robert Graham: "sidestep (was RE: Fooling NIDS)"
Next in thread: Robert Graham: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Jon Gary: "Re: Fooling NIDS"
Maybe reply: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]