Intrusion Detection Systems: Re: RE: Info needed to compare Axent ITA and ISS RealSecure

[dugsong () monkey org (Dug Song)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Thu, 6 Jul 2000, Greg Shipley wrote:

> As a side note, in my testing with fragrouter simple fragmentation
> almost ALWAYS gets interpreted properly by the end (read: target)
> node.  HOWEVER, some of those other packet mangling and sequencing
> tricks DO NOT.
fragment/segment overlap is indeed handled differently by various OSs,
but i decided to settle on one behaviour in fragrouter to simplify
implementation and testing.

fragrouter lacks many features, including support for variable TTLs,
TCP/IP option tricks, and many other nifty ideas originally outlined in
the SNI paper. it was meant to be a simple implementation of the SNI IDS
tests according to the methodology outlined in the paper, nothing more.

the next version of fragrouter will be significantly cleaned up (oy, yuk),
and will include options to determine fragmentation/segmentation overlap
behaviour and insertion method (ttl, seqnum, checksum, options, etc.), as
well as some nifty encapsulation tricks for firewall penetration (to be
presented at blackhat in two weeks)...

Thomas' suggestion that fragrouter be used as an indisputable
benchmark(eting) measure is a good one; as lame and incomplete as it is,
it's still some tangible result people can deal with, as opposed to the
wild, vague marketing claims that only serve to confuse people.

-d.

http://www.monkey.org/~dugsong/