TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Here is a reply to the ISS RealSecure is not vulnerable to ADMmutate tool
that was on the Focus-IDS list.
-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:[EMAIL PROTECTED]]On Behalf Of Dragos Ruiu
Sent: Thursday, April 05, 2001 4:30 AM
To: [EMAIL PROTECTED]
Subject: Re: ADMmutate IDS Evasion Tool
On Wed, 04 Apr 2001, Rouland, Chris (ISSAtlanta) wrote:
> ISS RealSecure has been confirmed as not vulnerable to the ADMmutate
> evasive technique.
So what does this actually mean?
As I see it you are either saying....
a) we have no shellcode signatures
or
b) we have fed all the existing exploits through ADMutate repeatedly
and have identified other protocol traits to use for each signature
independent of the shellcode for hundreds of exploits.
I'm skeptical if you've had time to do the latter given the tool was
announced
last Thursday, so I'll assume you mean the former. :-)
Marketing proclamations in technical forums can be dangerous I think.
I'm not picking on ISS even though they "opted out" of my IDS comparison
here BTW, but the above proclamation seemed particularly vaporous and
premature,
especially since the applications of K2's work are only now being explored.
As many know I'm usually on the pro-IDS side, but some careful thought
and analysis needs to go into bold statements like the above. It does the
entire industry a dis-service to try to spin control new developments like
this
if they turn out to be new difficult problems, which I think the jury is
still
out on as far as ADMutate goes.... (I'm sure as **** not fully sure how much
of
a threat/IDS-problem this is yet, personally....)
cheers,
--dr
--
Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the
future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
