RE: sidestep

From: Golomb, Gary <GGolomb(at)enterasys.com>
Date: Wed Apr 30 2003 - 07:41:44 EDT

> For those that don't know, the tool works by allowing you to chose
which
> type of attack you want, for example RPC, DNS, FTP etc and then run it

Most all IDSes on the market nowadays can decode/detect these tactics. When Robert released the tool, the concepts were quite novel, however that was several years ago now. I doubt you'll have any luck "evading" IDSes with sidestep. On the other hand, using the methods employed by sidestep to create a "proxy" (like the earlier versions of fragrouter) would probably yield much different results though. :) ie: Something that obfuscates all RPC, DNS, etc. traffic which passes through it. Also, there are several other protocols which are subject to the same types of obfuscations that are not implemented in sidestep. SMB is one such example.

> So I am writing up the results of this for a project I am doing at Uni
IDS,
> I can't because, I don't know, and there seems to be no documentation
to
> explain how it is working, and I can't look at the source code.

The best way to figure it out is to look at the packets on the wire!

Also, these two papers look at the DNS and RPC portions of the tool. https://dragon.enterasys.com/wp/DNS_Evasion.pdf https://dragon.enterasys.com/wp/RPC_Evasion.pdf

-gary

---

Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No?
No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2

---

Received on Sun May 4 03:25:58 2003