OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sidestep (was RE: Fooling NIDS)
From: Martin Roesch (roeschMD.PRESTIGE.NET)
Date: Fri Dec 08 2000 - 00:03:25 CST

Wow, that's a lot of false alarms. Looks like you've got your portscan
detector set on a hair trigger there. :) Well, at least it picked up the PHF
attack with no tweaking required...

   -Marty

Daniel Harrison wrote:
>
> I just briefly tested sidestep against my home machine, which is running snort.
> I am not an IDS vendor nor am I an IDS tester but here are my results:
>
> sidestep command: sidestep my.home.ip -evade -all
>
> Snort Version: Version 1.6.3-patch2
>
> Log Messages:
>
> Dec 7 08:51:57 pimp snort[494]: spp_portscan: PORTSCAN DETECTED from
> ATTACKER.NET (THRESHOLD 3 connections exceeded in 6 seconds)
> Dec 7 08:52:01 pimp snort[494]: IDS128 - CVE-1999-0067 - CGI phf attempt:
> ATTACKER.NET:14006 -> MY.HOME.IP:80
> Dec 7 08:52:03 pimp snort[494]: spp_portscan: portscan status from
> ATTACKER.NET: 6 connections across 1 hosts: TCP(3), UDP(3)
> Dec 7 08:53:48 pimp snort[494]: spp_portscan: portscan status from
> ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
> Dec 7 08:54:18 pimp snort[494]: spp_portscan: End of portscan from
> ATTACKER.NET: TOTAL time(14s) hosts(1) TCP(3) UDP(4)
>
> And using: sidestep my.home.ip -evade -rpc
>
> snort logged:
>
> Dec 7 09:00:01 pimp snort[494]: spp_portscan: portscan status from
> ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
>
> -dan 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org