Hi Wayne, Nessus used to have a feature to "obscure" it's attack patterns with basic "obscurification" and we removed this as each of the major NIDS had different evasion weaknesses that had been overcome over time. Most NIDS still have one form of network or application evasion or another, but there were few that effected all technologies.
My advice to you would be to ask you what is the goal of your scanning? If the goal is to enumerate the vulnerabilites and open ports of the systems behind the NIDS, then go to the NIDS managers and ask for your Nessus scanner IPs to be added to their trusted list. Better yet, perform your tests with full credentials to get all of the vulnerabilities on these systems (not just the ones that can be scanned for). Baring that, please consider the following items: - If you spread your scan out to be slow, certain checks will still alert the IDS and perhaps block the scanner. It may only take one alert to block so spreading things may not help you. - Passively monitoring the network (such as with our Passive Vulnerability Scanner) does not effect or interact with your IPS and can produce similar results in most cases for traffic in motion. - If you do deploy many internal Nessus scanners, you should consider distributed management of them with a centralized product like the Security Center. - If your firewall isn't blocking fragments or odd packets, you could try performing your scan through a tool like fragroute. I find this sort of solution operationally unacceptable as you still may no know what the ips is blocking which can lead to odd or inconsistent scanning results. Ron Gula Tenable Network Security Wayne Dawson wrote: > I'm finding more and more reports of ports open at the beginning of a > scan are closed during the scan. The problem, in my case, is the cisco > routers that the scans pass through all have the cisco fw/ips feature > set enabled. It appears that one sub-optimal approach would be going to > each segment I want to do and setting up nessus "scanning" machine. > That's not something I want to do. Is there any plans for obfuscating > the attack signatures, randomly? > Also a low and slow 3 or 4 day scan may be helpful for scanning, at > least but that might be helpful in too in other ids evasion. > So, really, I'm wondering how tenable may be approaching the whole ids > evasion/insertion idea. There are likely certain limitations of the > Cisco FW/IDS featureset that may be used against it. > > > Wayne Dawson > > > > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
