Re: RPC/TCP Record Marking for IDS Evasion

From: Jeff Nathan (jeffat_private)
Date: Sat Jan 12 2002 - 12:16:59 PST

Next message: Charles 'core' Stevenson: "Eterm SGID utmp Buffer Overflow (Local)"

Previous message: Jeremiah Grossman: "Re: Developerstore.com expose critical customer info"
In reply to: Dug Song: "Re: RPC/TCP Record Marking for IDS Evasion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dug Song wrote:
> 
> On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphenat_private wrote:
> 
> > I'm doing some work on parsing RPC protocols as part of my job, and I'm
> > wondering if I've come up with a previously-unknown way of evading IDS
> > for RPC-based attacks.
> 
> i mentioned (and implemented) this about two years ago. Robert Graham
> subsequently fixed this in his NetworkICE product, not sure about others:
> 
>         http://archives.neohapsis.com/archives/ids/2000-q1/0007.html
>         http://archives.neohapsis.com/archives/ids/2000-q1/0149.html


Snort's spp_rpc_decode preprocessor will also normalize RPC traffic
broken up by record markers.


[...]

> 
> -d.
> 
> ---
> http://www.monkey.org/~dugsong/

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

Next message: Charles 'core' Stevenson: "Eterm SGID utmp Buffer Overflow (Local)"
Previous message: Jeremiah Grossman: "Re: Developerstore.com expose critical customer info"
In reply to: Dug Song: "Re: RPC/TCP Record Marking for IDS Evasion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 19:46:33 PST