IDS Evasion By Accident
id and I were talking today about some of the tests he is performing for some software he is helping to test. Amongst some of the tests he was in charge of some of it required forcing the IDS to alert on some of the vulnerabilities he was performing. You’d think it would be an easy thing to do. He took some of my successful hack attempts as well as some of his probing attacks and still was unsuccessful in creating an event that the server could pick up.
I had sort of thought the network security world had made the attack signatures a commodity. However in hearing his story, after 72 hours of testing he was only able to get his client’s IDS to alert after knowing the exact server signature that would alert and modifying his attack specifically to be detected. Ouch. How can companies feel secure without being able to see these very obvious recon techniques. We aren’t talking about anything more complex than a nmap scan, but still, they are unable to properly assess the attack in question.
Kinda makes me wonder about the state of network security when default IDSs aren’t able to detect or properly classify the most obvious attacks. Maybe it’s time to revisit what people are looking at and reporting on.
This entry was posted on Saturday, November 11th, 2006 at 2:37 am and is filed under Random Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
One Response to “IDS Evasion By Accident”
Omer Taran Says:
November 12th, 2006 at 1:32 pm
When I lecture about information security, I usually come to speak of the security products grave yard. this is the place where all the overhyped and overerstimated security products come to an end. IDSs are usually on top of my list. they can be very useful in the hands of an expert. only those aren’t as common as IDSs
Leave a Reply Or Discuss On the Forums