| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: synfinatic at gmail.com (Aaron Turner) Subject: Bypassing "smart" IDSes with misdirected frames? (long and boring) [snip original comments... read the archives if you don't know what this thread is about] Three comments: 1) Yes, playing with dst MAC addresses will work against most if not all inline IPS solutions, and probably every sniffer based IDS... they just don't track that sort of thing, although some do track source MAC's to make sure you're not running ettercap or something like that. About the only solution that might protect against that is a device which runs in a proxy-arp mode, since it would either not receive the packet or would correct the destination MAC before forwarding (in the case of a hw broadcast or hub). 2) Certain current and "state of the art" products can be evaded using other methods which cause them to become out of sync with the victim. Just last week I found a certain IPS vendor who will remain nameless still hasn't figured out how to do proper TCP stream reassembly and proper IP defragmentation. Other even more basic problems exist in various products for which appear to be either pure laziness or attempts to cut corners to boost performance numbers. 3) If you really want to have fun evading IDS you need to be using libnet & libpcap or raw sockets. -AT
Powered by blists - more mailing lists