sidestep

[Jill Tovey <jill.tovey () bigbluedoor com>]

Hi All, 

I have a snort box and I am testing it using a tool called sidestep. 

For those that don't know, the tool works by allowing you to chose which
type of attack you want, for example RPC, DNS, FTP etc and then run it
with a switch such as -evade, which will perform the attack on the box
and attempt to "evade" the IDS. The URL is
http://www.robertgraham.com/tmp/sidestep.html

Now I have run the tool with all of the possible attacks and it has
worked fine, but it doesn't always manage to evade snort.

So I am writing up the results of this for a project I am doing at Uni
however, when it comes explaining how this tool tries to evade the IDS,
I can't because, I don't know, and there seems to be no documentation to
explain how it is working, and I can't look at the source code.

So I wondered if anyone here knew how it worked, or had some info on how
it worked.

I have managed to find one article on sans detailing how it works for
the RPC attack, which is very helpful,
(http://www.sans.org/resources/idfaq/rpc_evas.php ) but nothing to
explain what it does for the other attacks.

Any info would be much appreciated.





------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids