NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2000-q4

Subject: Re: sidestep (was RE: Fooling NIDS)
From: ME (stealthmode316PEOPLEPC.COM)
Date: Fri Dec 08 2000 - 03:40:12 CST

Next message: Mike Forrester: "Re: network based IDS"
Previous message: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
In reply to: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Reply: ME: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Speaking of blackice,
When is there going to be an update? Its been sometime since the last one.
I would like to get at least a couple of more before it runs out in Feb.
2001.

stealthmode316

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Daniel Harrison
Sent: Thursday, December 07, 2000 10:20 AM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: sidestep (was RE: Fooling NIDS)

Robert Graham wrote:

> BTW, I've been working on an IDS evasion program for awhile. It is
> (temporarily) at:
> http://www.robertgraham.com/tmp/sidestep.html
>
> It does many non-fragrouter IDS evasion techniques. I think most evade
> Snort, but I haven't had a chance to test them out yet. Anyway, I plan on
> writing a more formal paper in January; I was hoping people could run it
> against their favorite NIDS and tell me how it worked. I think most can
now
> handle the HTTP evasion technique, and I know ISS can handle the SNMP
> evasion technique, but I'd like to hear more about other NIDS.
>
> Robert Graham
> CTO/Network ICE
>
> PS: in case you were wondering, it doesn't evade BlackICE Sentry :-), but
> that should go without saying.

I just briefly tested sidestep against my home machine, which is running
snort.
I am not an IDS vendor nor am I an IDS tester but here are my results:

sidestep command: sidestep my.home.ip -evade -all

Snort Version: Version 1.6.3-patch2

Log Messages:

Dec 7 08:51:57 pimp snort[494]: spp_portscan: PORTSCAN DETECTED from
ATTACKER.NET (THRESHOLD 3 connections exceeded in 6 seconds)
Dec 7 08:52:01 pimp snort[494]: IDS128 - CVE-1999-0067 - CGI phf attempt:
ATTACKER.NET:14006 -> MY.HOME.IP:80
Dec 7 08:52:03 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 6 connections across 1 hosts: TCP(3), UDP(3)
Dec 7 08:53:48 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)
Dec 7 08:54:18 pimp snort[494]: spp_portscan: End of portscan from
ATTACKER.NET: TOTAL time(14s) hosts(1) TCP(3) UDP(4)

And using: sidestep my.home.ip -evade -rpc

snort logged:

Dec 7 09:00:01 pimp snort[494]: spp_portscan: portscan status from
ATTACKER.NET: 1 connections across 1 hosts: TCP(0), UDP(1)

-dan

Next message: Mike Forrester: "Re: network based IDS"
Previous message: Martin Roesch: "Re: sidestep (was RE: Fooling NIDS)"
In reply to: Daniel Harrison: "Re: sidestep (was RE: Fooling NIDS)"
Next in thread: Ben Carr: "Re: sidestep (was RE: Fooling NIDS)"
Reply: ME: "Re: sidestep (was RE: Fooling NIDS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]