[ISN] Tool Allows For Bypassing IDS's

From: InfoSec News (isnat_private)
Date: Thu Apr 18 2002 - 00:23:37 PDT

  • Next message: InfoSec News: "Re: [ISN] New internet legislation outlaws all hacking"

    Forwarded from: Aj Effin Reznor <ajat_private>
    From a bugtraq posting today:
    "I didn't see it posted to these lists, but yesterday Dug Song quietly
    released a tool on the focus-ids list which totally blindsides Snort -
    http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort
    file contains several fragroute scripts which blindside even the
    current Snort version in CVS, tested on RedHat 7.2. For example, the
    latest wu-ftpd exploits run through the one line "tcp_seg 1 new"  
    don't trigger any Snort alerts at all."
    What does Dug have to say about his tool?  From the above url:
    "fragroute intercepts, modifies, and rewrites egress traffic destined
    for a specified host, implementing most of the attacks described in
    the Secure Networks "Insertion, Evasion, and Denial of Service:
    Eluding Network Intrusion Detection" paper of January 1998.
    It features a simple ruleset language to delay, duplicate, drop,
    fragment, overlap, print, reorder, segment, source-route, or otherwise
    monkey with all outbound packets destined for a target host, with
    minimal support for randomized or probabilistic behaviour.
    This tool was written in good faith to aid in the testing of network
    intrusion detection systems, firewalls, and basic TCP/IP stack
    behaviour. Please do not abuse this software."
    All the more reason for admins to not be reliant on IDS systems and to
    add another layer to their security structure.
    Props to Dug for keeping proof of concept alive.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 03:38:00 PDT