Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: IDS Assessments....and the I{D|P}S evasion research project
From: Sam Gorton <sgorton () skaion com>
Date: Thu, 16 Nov 2006 14:51:51 -0500

On Wed, Nov 15, 2006 at 04:22:19PM -0500, Joseph McCray wrote:
Have any of you ever taken the time to develop a list signatures and
their corresponding tools and/or exploits that actually trigger every
individual signature the IDS has?

Joe, we did something similar for a client - we picked a single 
exploit and performed a whole set of mangling and evasion tests with 
it.

As a foundation, we used the ISAPI .printer exploit by eEye, which has 
the very useful payload of writing a file on the target system.  If 
the file is there, you know the exploit worked.

To help us automate the correlation, we bound each individual test 
case to a unique source port, and included the source port in the file 
name. (Well, we used N for 9, because the exploit couldn't write a 9, 
but you get the idea).  So that way we knew that for a given suite of 
tests, source port 30000 was test X.

Even if you can't do the rest of it, keying each test case to a source 
port is an enormous help in correlation.

--
Sam Gorton                |   Skaion Corporation
sgorton () skaion com        |   978-251-3963

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault