Not to get even further off topic...but I will...to support Draqos. The whole IDS evasion thing mimics the scanners vs. virus writers war. I've been doing antivirus work since 1989 and I have heard that virus writers were going to polymorph, encrypt, oli-this, poly-that since before there were 100 viruses. Nobody, not even the AV vendors thought that scanners would still be fighting the good fight (and winning 99.999% of the time) when 30,000+ viruses and worms appeared. Virus scanners would run out of memory, wouldn't be able to keep up with the signatures, would end up with too many false-positives, would run so slow nobody would use them, etc. But the truth is fingerprint scanning (no matter how flawed) still works and I hear less about AV scanner deaths every year...and when I do hear it's from the vendors themselves...and guess what they have the new solution sitting in the wings ready to go. I see the same pattern in IDS...heck, yeah, the black hatters will develop more sophisticated hacks...and the white hatters will fight back...SUCCESSFULLY. With that said, there are some viruses today that scare the mess out of the good AV guys...ones that scare them and keep them up at night. And DDoS "Reflection" attacks???...if you're not scared you don't understand the problem. But the good guys will respond and life will go on as usual. Just my one cent. Roger A. Grimes *************************************************************************** *Roger A. Grimes, VP of IT for GK/PHR Holding Company *Gold Key Resorts and Professional Hospitality Resources *email: rogergat_private *ph: 757-491-2101 x403 *fax:757-491-6550 *932 Laskin Road, Virginia Beach, VA 23451 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode/ *************************************************************************** ;-----Original Message----- ;From: Dragos Ruiu [mailto:drat_private] ;Sent: Wednesday, April 17, 2002 12:08 AM ;To: 0xcafebabeat_private ;Cc: bugtraqat_private; pen-testat_private; ;snort-develat_private; roeschat_private; natashaat_private ;Subject: Re: Snort exploits ;Heh, well... first... don't panic. :-) ;I was actually expecting him to release fragroute on the CanSecWest conference CD, ;for his talk on it there and am preparing some appropriate counter measures for the ;variant of snort I was going to put on there. Been kinda swamped with conference ;preparations so please do not ask me for any of this in advance of the conference. ;Odds are now that this info has gone out snort cvs will have fixes for this ;in a matter of hours or days... ;The TCP evasions are fairly easily detectable as overlaps should not normally occur. ;I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to ;address this. It is just a matter of slightly more rigorous alerting and ;To everyone else: ;The game of evasion and coutermeasures is the snake eating its tail and you ;shouldn't be naive and assume that there aren't other evasions out there because ;there are _always_ other obfuscations and countermeasures, and then detectors for ;--dr
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:53:15 PDT