> So, I strongly believe that the published results are not a > reflection of the quality of recent ISS product protection.
Can't comment on that. > Even so, I still believe that the results demonstrate the > strengths of the authors' technology to expose limitations in > an IDS/IPS product whether or not the product is still relevant. I concur. The tid-bits about these issues were known for quite a while now, it's just that the scope of these discussions were primarily limited to the developer's desk. Now, as the security appliances are actually doing some advanced protocol decoding and lexical analysis, these issues become very important. I think the authors are also planning for the public release of the exploit mutation tool. -Regards Pukhraj On 11/4/05, Palmer, Paul (ISSAtlanta) <[EMAIL PROTECTED]> wrote: > I would like to make a comment on that paper you cited as it relates to > the test results. > > I am impressed by the authors' technology. I believe they are helping to > advance the state of the art in IDS/IPS testing. However, ISS has been > unable to reproduce the results that the authors describe with recent > products. I believe that the authors were using older versions of ISS > products during testing. So far, they have not provided product version > information when asked. > > So, I strongly believe that the published results are not a reflection > of the quality of recent ISS product protection. Even so, I still > believe that the results demonstrate the strengths of the authors' > technology to expose limitations in an IDS/IPS product whether or not > the product is still relevant. > > Paul > > -----Original Message----- > From: Pukhraj Singh [mailto:[EMAIL PROTECTED] > Sent: Monday, October 31, 2005 7:28 AM > To: tcp fin > Cc: [email protected] > Subject: Re: RPC Evasion techniques > > > Lot of things can be done to evade IPS/IDS. > > The tricks vary from protcol to protocol. The difference in the decoding > mechanism of security appliance and the application server can lead to > many evasion techniques. I have created and tested many mutant exploits > and they worked beautifully. The idea is to strike and exploit some > fundamental concepts of logic and protocols which IDS/IPS makers tend to > ignore or is simply beyond their device capability > > Apparently, I haven't documented and organized the work I did. > > But here is an introductory paper you should definitely read: > http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti > _CCS04.pdf > > --Pukhraj Singh > > > On 10/27/05, tcp fin <[EMAIL PROTECTED]> wrote: > > Hi Guys , > > Any tips and tricks or good article on IDS/IPS evasion > > ? > > I have beautiful paper "Insertion, Evasion and Denial > > of Service: > > Eluding Network Intrusion detection". > > I need some pointers on RPC based evasion techniques. > > > > Regards, > > TCP FIN . > > > > > > > > > > __________________________________ > > Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com > > > > ---------------------------------------------------------------------- > > -- > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > > ------------------------------------------------------------------------ > > > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
