IDS/IPS Evasion Research Project

From: Joseph McCray (joe@learnsecurityonline.com)
Date: Mon Oct 09 2006 - 06:31:03 EDT

• Next message: Paul Melson: "RE: WebServices Testing"
• Previous message: IT Security: "RE: Sql injection automated check tool"
• Next in thread: crazy frog crazy frog: "Re: IDS/IPS Evasion Research Project"
• Reply: crazy frog crazy frog: "Re: IDS/IPS Evasion Research Project"
• Reply: Jerome Athias: "Re: IDS/IPS Evasion Research Project"
• Reply: GomoR: "Re: IDS/IPS Evasion Research Project"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I was talking with a buddy of mine on the subject of IDS evasion. We
were going on and on about how none of the old techniques really work
anymore (substitution/obfuscation/session splicing/fragmentation, blah
blah blah). I was an IDS monkey in a former life - maybe I'm just a
glutton for punishment.

There is a bunch of new stuff on the subject that really isn't all that
well documented (AT LEAST NOT FOR FREE). Everybody charges for this kind
of info these days - hey who am I to complain - I charge for teaching
hacking too right? So I figured why not start an IDS/IPS Evasion
research project of my own.

I figured I could give a shout out to you guys here on the pentest/ids
lists to help me try out some different open source tools against a few
I{D|P}Ss, maybe even write a few new tools too, and we can see for
ourselves what lights up and what doesn't. Now of course you know we'll
start with Snort as it is by far the most accessible and the easiest to
find competent users.

Things I'm really interested in digging into:
1. Specifically which of the older IDS evasion techniques still work
against modern I{D|P}Ss.
2. What types of tricks can we do with metasploit to evade I{D|P}Ss (and
get it documented)
3. Solidifying, and expanding Renaud Bidou's good work on the subject
4. Nail down Firewall/IDS testing specifics for packet crafting tools
like:
        * hping
        * scapy
        * rubyforger
        * isic
        * nemesis
        * Paketto Keritsu

If you are interested in working on this send me an email. Won't be able
to start for a week or two, but I can start getting the attack host and
some targets ready during that time. We'll all figure out how we want to
build/configure the test network.

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Paul Melson: "RE: WebServices Testing"
• Previous message: IT Security: "RE: Sql injection automated check tool"
• Next in thread: crazy frog crazy frog: "Re: IDS/IPS Evasion Research Project"
• Reply: crazy frog crazy frog: "Re: IDS/IPS Evasion Research Project"
• Reply: Jerome Athias: "Re: IDS/IPS Evasion Research Project"
• Reply: GomoR: "Re: IDS/IPS Evasion Research Project"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:10 EDT