ImmunitySec’s IDS Evasion Tests

Thomas Ptacek | January 3rd, 2005 | Filed Under: Uncategorized

Dave Aitel is calling out security product vendors who fail his CANVAS penetration tests. These tests evidently create Microsoft RPC sessions that are hard for monitoring systems to parse; that they expose implementation trouble with Microsoft’s extremely troublesome protocols is the opposite of surprising. (That a system like NAI IntruShield handles Microsoft properly under strain invites interesting questions. NAI’s system is allegedly built largely out of custom hardware. More on that later.) In holding Snort out as an example, Aitel shows a result that is surprising: apparent failures in TCP reassembly. TCP correctness is fundamental to network monitoring, and has been an obvious target of attack since 1998. It’s hard to imagine a popular security system being vulnerable to simple reassembly attacks. Maybe nobody actually tests these things. Aitel should be more specific about his results. Better yet, he should create a roundup site at ImmunitySec where we can go see the current results against the most recent builds of these products. And of course, if Dave is going to name names (or encourage others to do so), he probably owes the community a non-NDA’d description of the nature of his tests.