Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Assessment tools/Scanners

From: dugsong () monkey org (Dug Song)
Date: Tue, 12 Oct 1999 09:41:01 -0400 (EDT)


On Mon, 11 Oct 1999, Martin Roesch wrote:


Definitely, but the vast majority of script kiddies don't do this either
because they're lazy or because they don't have the "skillz".


it only takes one person with "skillz" to produce an idiot-proof exploit.
e.g. congestant - Phrack 54, article 10:

        http://www.phrack.com/search.phtml?view&article=p54-10


Hey, Snort will detect that someone is running their packets thru
fragrouter! ;) (Of course, that's *all* it tells you....)


snort will alert on tiny IP fragments, sure. but it is easily eluded by
TCP message reordering (fragrouter -T9: out-of-order 1-byte TCP segments),
and many other TCP-based attacks (overlapping segments, interleaved null
segments, etc.).

misuse detection systems also tend to miss simple application-level
subterfuge attacks. as a demonstration, i've added simple randomized HTTP
URI encoding to the common cgichk exploit scanner:

        http://www.monkey.org/~dugsong/tmp/cgichk3-dug.tar.gz

such obfuscation is possible in just about EVERY application protocol -
see Paxson's Bro paper for more common examples.

-d.

http://www.monkey.org/~dugsong/
Previous By Date Next
Previous By Thread Next

Current thread: