RE: ADMmutate IDS Evasion Tool

Wed, 18 Apr 2001 09:42:26 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

Steve,
I'd take him up on this if I were you.  You can't get better product support
than this!
DAg

-----Original Message-----
From: Farley, Tim (ISSAtlanta)
To: 'Steve'; [EMAIL PROTECTED]
Sent: 4/12/01 5:45 PM
Subject: RE: ADMmutate IDS Evasion Tool


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
------------------------------------------------------------------------
----

> works it is very easy to test.  Run the tool, attempt 
> an attack, check for an IDS response.
> It doesn't have to be scientific.  

I disagree.  You've left out key steps.

It should be:

1.  Attempt an unmodified attack.
2.  Verify that the IDS responds to it.
3.  Attempt the modified version of the attack.
4.  Verify that the IDS does not respond to it.

In everything that I've seen from both you and K2, you are skipping the
critical steps 1 and 2.  Without them, how do we know RealSecure really
is
failing to detect something? 

This is not rocket science, it's applying the scientific method in its
purest form.

> I doubt it, I am performing similar tests in my lab and 
> having the same results.  Perhaps some actual cooperation 
> and consultation instead of marketing blurbs would be a 
> little more productive. 

I am not a marketing person.  (Neither is Chris Rouland, for that
matter).  

I am an engineer, and I wrote many of the signatures in the RealSecure
network sensor.

Cooperation is a two-way street.  Perhaps you could tell us exactly
which
exploits you are running in your lab which failed to report on
RealSecure
(steps 3 and 4), and what your control cases were (steps 1 and 2), and
we
could actually answer you properly. 

Just announcing "RealSecure is vulnerable" with no other supporting
details
is exactly as non-helpful as you claim we are being.

=====================================
MY PHONE NUMBERS HAVE CHANGED!  PLEASE MAKE NOTE OF THE NEW ONES BELOW.

=====================================
Tim Farley
Senior Researcher
Internet Security Systems

[EMAIL PROTECTED]
(404) 236-2600 http://www.iss.net

Internet Security Systems - The Power to Protect
=====================================

Reply via email to