http://www.networksecurityarchive.org/html/Snort-Signatures/2008-09/msg00007.html
People know about this... Even before you've learned Perl! Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jul 6, 2010, at 1:12 AM, "epixoip" <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 05 Jul 2010 20:52:40 -0700 Nelson Brito <[email protected]> > wrote: >> If you don't deal well with criticism, don't send such "31337" >> tool to a public mailing list, keep it just for your friends. > > Criticism? All you did was demand credit for work nobody has even > heard of, much less cared about. > > >> I >> got you incubator and it looks like: "look mom, I did my first >> Perl script". No offense, kid! Okay... Keep studying and you're >> gonna to learn more and more... > > Heh. I'm not even sure where to begin with this one, so I won't. > > >> >> Just to let you know, because you're probably 2 years old and live >> in the jungle, > > Oh, snap! > >> here is the NNG and ENG post: >> http://archives.neohapsis.com/archives/fulldisclosure/2008- >> 09/0397.html > > Wow, you are far more self-important than I ever gave you credit > for. > > This will be my last reply on this thread, by the way, I'm going to > go ahead and kill it here. Anyone reading this thread can clearly > see just how desperate you are to make yourself look good and make > your name known, and the last thing I want to do is give more > attention to an attention whore. > > >> Nelson Brito >> Security Researcher >> http://fnstenv.blogspot.com/ >> >> Sent on an iPhone wireless device. Please, forgive any potential >> misspellings! >> >> On Jul 6, 2010, at 12:20 AM, "epixoip" <[email protected]> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On Mon, 05 Jul 2010 18:34:24 -0700 Nelson Brito >> <[email protected]> >>> wrote: >>>> Thanks for the credits and keep doing the great work! Just for >> the >>>> records: NNG is not a tool, it is just a PoC for the concept >> you >>>> are just mimicking. Really creative!!! 8) >>> >>> >>> Again, nobody has ever heard of this "NNG PoC" (which, by the >> way, >>> you did call it a tool in your packetstorm description) until >> you >>> started demanding we give you credit for your ground-breaking >>> research into a decade-old topic. And again, as I've clearly >>> highlighted, the only parallel between NNG and Inundator is we >> both >>> generate false positives. Nothing new here, not even for NNG. >>> >>> >>>> I will keep me the right to be polite. >>> >>> >>> That doesn't make you any less of a douche. >>> >>> >>>> BTW, I don like my iPhone... 8) >>>> Specially my apps for that one. >>> >>> >>> Erm, okay? >>> >>> >>>> Nelson Brito >>>> Security Researcher >>>> http://fnstenv.blogspot.com/ >>>> >>>> Sent on an iPhone wireless device. Please, forgive any >> potential >>>> misspellings! >>>> >>>> On Jul 5, 2010, at 7:56 PM, "epixoip" <[email protected]> wrote: >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> >>>>> Oh, for fuck's sake... >>>>> >>>>> <acerbity> >>>>> >>>>> Wow, you've really called us out on this one. How embarrassing >>>> for >>>>> us. >>>>> >>>>> Please accept our sincerest apologies, Mr. Brito. We now >>>> understand >>>>> how phrases like "inundator is a modern twist on an old >> concept" >>>>> and "Snot, fwsnort's snortspoof, and possibly others beat us >> to >>>> the >>>>> punch" can be incredibly obtuse and largely indecipherable, >>>>> requiring *at least* a third grade education for full >>>>> comprehension. We accept full responsibility for failing to >>>> write >>>>> this announcement with the lowest common denominator in mind, >>>> and >>>>> promise to limit our vocabulary to only words found on >>>>> http://simple.wikipedia.org in future posts. >>>>> >>>>> Also, thank you for taking the time to hi-jack our >> announcement >>>> by >>>>> linking to your incredibly superior NNG tool. We failed to >>>> include >>>>> it in our list of credits, and it brings us much shame. Please >>>>> excuse us while we prepare for Seppuku. >>>>> >>>>> </acerbity> >>>>> >>>>> To set the record straight right up front, we never stated >> this >>>> was >>>>> an original idea. In fact, we clearly stated this was *NOT* an >>>>> original idea. And we *DID,* in fact, credit SNOT -- and >>>> fwsnort's >>>>> snortspoof as well -- even though we discovered them after we >>>> had >>>>> already begun working on Inundator. We didn't credit >> IDSwakeup, >>>>> because while IDSwakeup is kind of cool, it uses a static set >>>>> payloads to generate the false positives, and we use a dynamic >>>> set. >>>>> We thought parsing Snort's rules files to dynamically build >>>> attack >>>>> payloads was at least original, but when we learned otherwise, >>>> we >>>>> credited the only other two apps we could find that did >>>> something >>>>> similar: SNOT and snortspoof. So we're definitely going out of >>>> our >>>>> way here to give credit where credit is due, even though we >> had >>>> no >>>>> knowledge of these applications when we thought of the >> concept. >>>>> Again, all of this was clearly explained in plain English. >>>>> >>>>> Now then, back to you. >>>>> >>>>> At first I presumed you were just a self-important moron who >>>>> couldn't be bothered to actually read the full text of the >>>>> announcement before crafting your witty reply on your iPhone >> and >>>>> publicly embarrassing yourself on four separate mailing lists >>>>> concurrently. That is until I paid a visit to your outstanding >>>>> little blog, and realized that not only are you a self- >> important >>>>> queef, but you're also a little fucking crybaby who wants >> credit >>>>> and attention for every original thought you didn't have. >>>>> >>>>> As we can clearly see from your blog, "ANY INFORMATION TAKEN >>>> FROM >>>>> THIS BLOG MUST GIVE THE CREDITS TO THE AUTHOR AND ADD A >> BACKLINK >>>> TO >>>>> THE ORIGINAL ARTICLE." This must mean you observed some >> parallel >>>>> between NNG and Inundator, and thus feel we should be giving >> you >>>>> some sort of credit and a backlink (although I suppose the >>>> backlink >>>>> has already been covered by you douching all over this >> thread.) >>>>> Let's see what sort of parallels could possibly exist between >>>> NNG >>>>> and Inundator: >>>>> >>>>> From http://packetstormsecurity.org/filedesc/nng-4.13r- >>>>> public.rar.html: >>>>> >>>>> "Description: NNG is a tool that creates crafted packets to >>>> cause >>>>> MS02-039 false-positives against IPS/IDS. NNG does not have >> the >>>>> same approach used by Snot and Stick, where the main goal is >>>> DoSing >>>>> the IPS. Instead, NNG tries to make IPS/IDS "numbed" enough to >>>> have >>>>> the leakage of real attack. >>>>> >>>>> "Author: Nelson Brito" >>>>> >>>>> First of all, I don't think SNOT's main goal was to DoS the >> IPS, >>>> as >>>>> you so cleverly state. Second, I have no fucking clue what >> "NNG >>>>> tries to make IPS/IDS 'numbed' enough to have the leakage of >>>> real >>>>> attack" is even supposed to mean. I see some English words >>>> there, >>>>> but that sentence means fuck-all. >>>>> >>>>> So from what I can gather, your little tool is capable of send >> a >>>>> single packet mimicking MS02-039. Bra-fucking-vo, how >>>> innovative. >>>>> So it isn't multi-threaded, no attempt is made to send the >>>> attack >>>>> anonymously, you're using a single static payload, and you >>>>> essentially have little to no user configuration at all. >> What's >>>> the >>>>> point? I actually have no idea what the actual goal of NNG is, >>>>> other than to serve as a POC for why pattern matching is full >> of >>>>> fail. But then again, that's something we've known for over a >>>>> decade (although I see you still give presentations on the >> topic >>>> as >>>>> if it were both new and original), so again -- what is the >> point >>>> of >>>>> NNG? Even snortspoof, though dated and pretty much useless by >>>>> today's standards, is vastly more impressive than NNG, as it >> at >>>>> least makes an attempt to anonymize attacks and dynamically >>>> parses >>>>> an array of signatures to generate an attack instead of hard- >>>> coding >>>>> ONE payload. Who are you giving credit to for NNG, by the way? >>>> Oh >>>>> that's right -- yourself, even though there is literally >> nothing >>>>> original about NNG. By the way, I like how you have a file >> named >>>>> "Authors" in the NNG source tarball, where you list yourself >> and >>>>> your contact information twice. >>>>> >>>>> Your pathetic piece of shit doesn't even come close to what >>>>> Inundator does, so why the fuck would we give NNG credit? Were >>>> you >>>>> so disillusioned by your own self-importance that you honestly >>>> saw >>>>> a parallel between NNG and Inundator? Or perhaps you were just >>>>> trying to drive traffic to your little piece of shit by >> linking >>>>> everyone to it after trying to make yourself look superior? >> No, >>>> I >>>>> honestly think your cunt start aching at the thought of us >>>>> crediting SNOT and snortspoof, but not NNG. Reality is a >> bitch, >>>> huh. >>>>> >>>>> Here's my advice to you, Mr. Brito: slap some vagisil on your >>>>> aching pussy and shut the fuck up. Nobody has heard of you, >> and >>>>> nobody has heard of NNG. Get over yourself. >>>>> >>>>> >>>>> Oh, and Inundator is still available at >>>>> http://inundator.sourceforge.net/ >>>>> >>>>> >>>>> Stay classy, >>>>> /epixoip. >>>>> >>>>> >>>>> On Mon, 05 Jul 2010 09:51:48 -0700 Nelson Brito >>>> <[email protected]> >>>>> wrote: >>>>>> That is not new and you should give the credits, not just for >>>> NNG >>>>>> (http://packetstormsecurity.org/filedesc/nng-4.13r- >>>>>> public.rar.html), but you are missing STICK, SNOT and and >>>>>> IDSWAKEUP as well. >>>>>> >>>>>> Nelson Brito >>>>>> Security Researcher >>>>>> http://fnstenv.blogspot.com/ >>>>>> >>>>>> Sent on an iPhone wireless device. Please, forgive any >>>> potential >>>>>> misspellings! >>>>>> >>>>>> On Jul 1, 2010, at 10:25 PM, "epixoip" <[email protected]> >>>> wrote: >>>>>> >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> homepage: http://inundator.bindshell.nl/ >>>>>>> deb repo: deb http://inundator.sourceforge.net/repo/ all/ >>>>>>> gpg key : http://inundator.sourceforge.net/inundator.asc >>>>>>> >>>>>>> Announcing the release of inundator v0.5! >>>>>>> >>>>>>> inundator is a modern twist on an old concept -- it's an >>>>>>> IDS/IPS/WAF evasion tool, used to anonymously flood >> intrusion >>>>>>> detection systems with false positives in order to obfuscate >> a >>>>>> real >>>>>>> attack. inundator leverages the vagueness and poor quality >> of >>>>>>> Snort's rules files to generate completely harmless packets >> / >>>>>> HTTP >>>>>>> requests that contain just enough keywords to trigger a >> false >>>>>>> positive. We thought this was an original idea, but it looks >>>>>> like >>>>>>> Snot, fwsnort's snortspoof, and possibly others beat us to >> the >>>>>>> punch. However, these tools were developed around the turn >> of >>>>>> the >>>>>>> century, are quite dated and well-forgotten, and overall >> quite >>>>>>> inferior to inundator. >>>>>>> >>>>>>> inundator is full featured, multi-threaded, queue-based, >>>>>> supports >>>>>>> multiple targets, and requires the use of a SOCKS proxy for >>>>>>> anonymization. Via Tor, inundator is capable of generating >>>>>> around >>>>>>> 1000 false positives per minute. Via a high-bandwidth SOCKS >>>>>> proxy, >>>>>>> you might be able to generate ten times that amount. >>>>>>> >>>>>>> The general idea is one would launch inundator prior to >>>> starting >>>>>> an >>>>>>> attack, allow it to run during the attack, and continue to >> run >>>>>> it a >>>>>>> while longer after you've accomplished the attack. The goal, >>>> of >>>>>>> course, is to generate an overwhelming number of false >>>> positives >>>>>> so >>>>>>> that your real attack is essentially buried within the other >>>>>>> alerts, minimizing the chance of your attack being detected. >>>> It >>>>>>> could also be used to ruin an IDS analyst's day, or keep an >>>>>>> organization's infosec department busy for a while. I >> suppose >>>> it >>>>>>> could also be used to test the effectiveness of an IDS, but >>>> no, >>>>>> not >>>>>>> really. >>>>>>> >>>>>>> inundator is implemented in Perl (version >= 5.10 is >>>> recommended >>>>>>> due to ithreads bugs in previous versions), and has been >>>> tested >>>>>> on >>>>>>> Debian Lenny, Debian Squeeze, Ubuntu Jaunty, BackTrack4, and >>>> Mac >>>>>> OS >>>>>>> X against Snort v2.8.5.2. It is presumed to work on all >> POSIX >>>>>>> operating systems. Hell, it might even work on Windows. >>>>>>> >>>>>>> /epixoip. >>>>>>> >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Charset: UTF8 >>> Note: This signature can be verified at >> https://www.hushtools.com/verify >>> Version: Hush 3.0 >>> >>> >> wpwEAQMCAAYFAkwyoQoACgkQacHgESW3wZoLBgP+PbxGwDMzuS0OSDJYiStD/YokjxC >> E >>> >> THV+banN8SdnYxfft7vgDlhNoXJlyE61wULSy1G4zuUCJT8+Ow78uxd6BMkmbt3F25p >> J >>> >> xrZsu8lgBm3m24vIqNmHwbvif2BOxMqiBwHlVBaQURXyH2RITLInmRmorTyvq4lxGPW >> 5 >>> xhdJc1A= >>> =Zdzn >>> -----END PGP SIGNATURE----- >>> > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkwyrUMACgkQacHgESW3wZqfSwQAtKyc8XZvxC16uGoZui5Tu1SgGK/m > NteWdM2+FIubQA61Rn++JLZ0rjNFprf0HR5SVQNgg8fF/Y8C2nmecXUxgxGQNWqLb49l > zkcEH0KijX4T83fHhDBPe5i7asm24T0sudPSMA6ebEWIoUX2B6AZnDGfBmoKj/TQpWlY > 8VctizY= > =ATDp > -----END PGP SIGNATURE----- > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
