OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sidestep (was RE: Fooling NIDS)
From: Robert Graham (robert_david_grahamYAHOO.COM)
Date: Thu Dec 07 2000 - 21:20:49 CST

--- Patrick Mueller <pmuellerNEOHAPSIS.COM> wrote:
> So, you mention (on the web page) that sidestep has nothing to do with
> IP/TCP fragmention. The obvious question is, what does it do?? I also see
> that you're going to be writing a report in January, but in the mean time,
> could you give us an idea? Thanks..

Networks are layered. IP is layer 3, TCP is layer 4. Therefore, fragmentation
is an evasion attack against layers 3 and 4.

Sidestep works at the application layer. Like fragmentation, it changes how
requests are sent across the wire. However, it leaves the MEANING the same.

The traditional example is the PHF attack. The following URLs are equivelent:
http://www.robertgraham.com/cgi-bin/phf
http://www.robertgraham.com/cgi-bin/./phf
http://www.robertgraham.com/cgi-bin/%2E/phf
However, they LOOK different. Therefore, and IDS that triggers on the pattern
match of "/cgi-bin/phf" will detect the first, but not the other two patterns.
However, all the patterns are interpreted the same by HTTP servers.

These are called "whisker" evasion techniques, named after the HTTP scanner
that used them.

However, the same principle can be extended to virtually all other protocols.
Unfortunately, while the principle is easy, the implementation for each
different protocol is different (and a lot of work). This is why sidestep is a
little bit complicated: I had to write a client for each protocol, which is a
fair amount of work.

=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/