I would like to make a comment on that paper you cited as it relates to the test results.
I am impressed by the authors' technology. I believe they are helping to advance the state of the art in IDS/IPS testing. However, ISS has been unable to reproduce the results that the authors describe with recent products. I believe that the authors were using older versions of ISS products during testing. So far, they have not provided product version information when asked. So, I strongly believe that the published results are not a reflection of the quality of recent ISS product protection. Even so, I still believe that the results demonstrate the strengths of the authors' technology to expose limitations in an IDS/IPS product whether or not the product is still relevant. Paul -----Original Message----- From: Pukhraj Singh [mailto:[EMAIL PROTECTED] Sent: Monday, October 31, 2005 7:28 AM To: tcp fin Cc: [email protected] Subject: Re: RPC Evasion techniques Lot of things can be done to evade IPS/IDS. The tricks vary from protcol to protocol. The difference in the decoding mechanism of security appliance and the application server can lead to many evasion techniques. I have created and tested many mutant exploits and they worked beautifully. The idea is to strike and exploit some fundamental concepts of logic and protocols which IDS/IPS makers tend to ignore or is simply beyond their device capability Apparently, I haven't documented and organized the work I did. But here is an introductory paper you should definitely read: http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti _CCS04.pdf --Pukhraj Singh On 10/27/05, tcp fin <[EMAIL PROTECTED]> wrote: > Hi Guys , > Any tips and tricks or good article on IDS/IPS evasion > ? > I have beautiful paper "Insertion, Evasion and Denial > of Service: > Eluding Network Intrusion detection". > I need some pointers on RPC based evasion techniques. > > Regards, > TCP FIN . > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com > > ---------------------------------------------------------------------- > -- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
