SlideShare a Scribd company logo

IDS Evasion Techniques

Tudor Damian
Tudor Damian

There is no doubt that Intrusion Detection Systems should be incorporated into any security infrastructure, however today’s IDS implementations are far from perfect. Security Managers should continue to add layers to their defense strategy and not place too much reliance on this technology, as it’s not easy to create a system that can effectively flag an attack without crashing under the weight of its own logs, operate relatively maintenance free and respond appropriately to benign anomalous events without raising too many false alarms. This session discusses some of the most common techniques aimed at evading IDS detection order to easily attack the infrastructure sitting behind those systems.

Technology
1 of 40
Download to read offline
IDS Evasion Techniques DefCamp 2015 Bucharest, Nov 19th-20th 2015
Tudor Damian General Manager & IT Solutions Specialist @ Transcent Operations Manager & Partner @ Avaelgo Co-founder @ ITCamp & ITCamp Community • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Cloud & Datacenter Management MVP (Microsoft) Contact: tudy@tudy.ro / www.tudy.tel
Your Technology Business Partner
Fair Warning • There’s more content that we can realistically cover before lunch  • We’re only aiming for a high-level overview here, not an in-depth dive • No need to take notes, you’ll get the slides anyway 
IDS Evasion Techniques Brief Overview • From CIDF to RFC 4765 • Physical, Network and Host IDS/IPS • NIDS design considerations & problems Some Advanced Evasion Techniques (AETs) • Obfuscation (Insertion, Evasion, Session Splicing, Fragmentation) • Denial of Service (DoS) & False Positive Generation • Pattern-Matching Weaknesses • Protocol Violation, TTL Attacks, Urgency Flag • Polymorphic & ASCII Shellcode • Encryption and Tunneling • Application Hijacking Potential Solutions • Normalization • Packet Interpretation Based on Target Host Tools & Resources
Brief Overview
From CIDF to RFC 4765 • Common Intrusion Detection Framework (CIDF) • An old (late 90s) attempt by DARPA (US govt's Defense Advanced Research Projects Agency) to develop an IDS interchange format • Started as a research project, currently dormant • CIDF components that together define an Intrusion Detection System: • E-boxes - event generators (sniffers, monitors) • A-boxes - analysis engines (signature matchers) • D-boxes - storage mechanisms (loggers) • C-boxes - countermeasures (alarms, firewalls) • The IETF (Internet Engineering Task Force) more recently (2007) started work on a common format (RFC 4765): • http://www.ietf.org/rfc/rfc4765.txt
Physical IDS • Security Guards • Security Cameras • Access Control Systems (Card, Biometric) • Firewalls • Man Traps • Motion Sensors Not talking about these today 
Network & Host IDS/IPS • NIDS – Network Intrusion Detection System • Using a network tap, span port, or hub collects packets on the network • Attempts to identify unauthorized, illicit, and anomalous behavior based on network traffic • Methods: signature file comparisons, anomaly detection, stateful protocol analysis • Using the captured data, the IDS system processes and flags any suspicious traffic • HIDS – Host Intrusion Detection System • Generally involves an agent installed on each system, monitoring and alerting on local OS and application activity • Attempts to identify unauthorized, illicit, and anomalous behavior on a specific device/OS • The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity • IDS vs IPS? • An IDS only has passive role (identify, log and alert) • An IPS also blocks network traffic
NIDS Design Considerations • Logical Target of Attacks • Each component a potential point of vulnerability and hence attacks • Possible Attacks on their • “Availability” (total shutdown) • “Accuracy” (false positives) • “Completeness” (false negatives) • Need to be Reliable, Robust • Avoid false sense of security • There’s no IDS out there with 100% accuracy • They all generate both false positives and false negatives
Problems with NIDS • Passive Network Monitors • Inherently “fail-open” • Cease to provide protection when subverted • Vulnerability to Denial of Service • Process all flows to all protected end-systems • Being complex systems require lots of resources • Resource starvation problem is not easily solvable • Insufficient Information on the Wire • Not enough to correctly reconstruct the state of complex protocol transactions like it is done at the end-systems • Diversity in Protocol Implementations • Packet processing differs across end-systems • Leads to ambiguous interpretations • Unknown Internal Network Conditions • Topology, router configs, traffic congestion, etc.
Advanced Evasion Techniques
Advanced Evasion Techniques (AETs) • Delivered in a highly liberal way • Security devices are designed in a conservative way • Employ rarely used protocol properties • Use unusual combinations • Create network traffic that disregards strict protocol specifications • Exploit the technical and inspection limitations of security devices: memory capacity, performance optimization, design flaws
Some of the most common attacks against NIDS • Insertion • Stuffing the analyzer with “invalid” packets • Evasion • Slipping “valid” packets past the analyzer • Denial of Service (DoS) • Causing resource starvation and overloading the IDS • Pattern-matching weaknesses • Exploiting pattern-based detection approach employed by most IDS • Pattern-matching weaknesses • Encryption and tunneling • SSL, SSH, IPSec, etc. • Fragmentation • Breaking the attack into multiple packets • Protocol violation • Attacks targeted at complex protocol (e.g. SMB) • File Locations and Integrity • Circumventing triggers in HIDS • Application Hijacking • If done correctly few HIDS will detect it, while NIDS usually skip the application layer completely
Insertion Occurs when the NIDS is less strict in processing packets than the internal network NIDS accepts packets that the end system rejects or doesn’t even receive Attacker’s data stream NIDS data stream Accepts 3rd packet which overwrites 2nd packet data Interprets ATXACK End system data stream Rejects 3rd packet for some reason (or doesn’t even receive it, i.e. TTL) Interprets ATTACK 2 3 3 5 4 1 6 T T X C A A K 1 2 3 3 4 5 6 A T T X A C K 1 2 3 3 4 5 6 A T T X A C K
Evasion Occurs when the NIDS is more strict in processing packets than the internal network An end-system can accept packets that the NIDS rejects Attacker’s data stream NIDS data stream Rejects 3rd packet for some reason and sees ATXACK End system data stream Accepts 3rd packet which overwrites 2nd packet Interprets ATTACK 2 3 3 5 4 1 6 T X T C A A K 1 2 3 3 4 5 6 A T X T A C K 1 2 3 3 4 5 6 A T X T A C K
Real insertion / evasion attacks • Mostly exploit basic network and protocol ambiguities at the NIDS • Ambiguous interpretation of header fields • Ambiguous handling of header options • Ambiguous fragment/segment reassembly • NIDS and the end-system get different views of the same data stream • Ambiguities cause NIDS to accept/reject packets differently than the end-systems • Differences in protocol implementations • Non-conformance to Protocol Standards • Every OS has a different protocol stack • End-system and router configurations • Application/Socket level options
NIDS ambiguities - examples Related field Ambiguity (problem) for the NIDS TTL Will the packet reach the end-system before TTL becomes 0? Length, DF Will all downstream links be able to transmit this big packet without fragmenting it (Don’t Fragment -DF- bit set)? IP Option(s) Will the end-system/routers accept packet with specific IP option(s)? E.g. (Strict) Source Route option TCP Option(s) Will the end-system accept packets with specific TCP option(s)? Data Will the end-system accept data in a SYN packet? ToS Does the packet conform to all internal routers (DiffServ)? IP Frag Offset How will the end-system reassemble overlapping fragments? TCP Seq No How will the end-system reassemble overlapping segments?
Session Splicing • Technique used to bypass IDS where an attacker splits the attack traffic into many packets such that no single packet triggers the IDS • It is effective against IDS-es that do not reconstruct packets before checking them again through intrusion signatures • If attackers are aware of delays in packet reassembly at the IDS, they can add delays between packet transmissions to bypass the reassembly • Many IDS-es stop reassembly if they do not receive packets within a certain time • IDS-es become useless if the target host keeps sessions active for a longer time than the IDS reassembly time • Any attack attempt after a successful splicing attack will not be logged by the IDS
Fragmentation • Similar to Session Splicing • Attackers send packets in blocks that do not trigger IDS signatures or cause alerts • Generally more powerful than Session Splicing • Two common fragmentation methods • One method overwrites a section of a previous fragment • The second method overwrites a complete fragment • Enables attackers to write an entire packet of garbage information and craft their attack to blend in with standard protocols • Some IDSs do have ways to handle these attacks through reassembly
Fragmentation - examples Attack 1: Overlap Method • Packet 1: GET /cgi-bin/ • Packet 2: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phxx • Packet 3: f? • This example of fragmentation can overwrite the 'xx' portion of Packet 2 with the data in Packet 3, making the information resemble the following: • GET /cgi-bin/ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phf? Attack 2: Overwrite Method • Packet 1: GET /cgi-bin/ • Packet 2: some_normal_filename.cgi • Packet 3: /aaa/../aaa/../aaa/../phxx • Packet 4: f? • This example is similar to the first, but in this example, the 'xx' portion is overwritten and the some_normal_filename.cgi packet is completely overwritten with the last two packets • This leaves GET /cgi-bin/phf? as the end result.
Denial of Service (DoS) & False Positive Generation • Basic problem • NIDS needs to simulate the operation of all protected end-systems and internal network • Scarce Resources (CPU cycles, memory, disk space, bandwidth) • Usually working in a “fail-open” state • CPU DoS (target computationally expensive operations) • Fragment/Segment reassembly • Encryption/Decryption • Memory DoS (target state management operations) • TCP 3-way Handshake (TCP Control Block - TCB) • Fragment/Segment reassembly • Network Bandwidth DoS (target NIDS’s inability to process packets at line speed) • Reactive Systems DoS • Trigger lots of alarms (false positives) • Prevent valid access by spoofed addresses • Hide real attacks
Pattern-Matching Weaknesses • Most IDS solutions employ a pattern-based detection component • This approach is problematic, because not all input needs to be the same to trigger vulnerabilities • Example pattern: • GET /cgi-bin/phf? • Obfuscation: • GET /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%25%2fp%68f? • Both versions result in the same output, yet look very different • Unicode evasion can also be used here • e.g. can be represented as 5C, C19C and E0819C
Protocol Violation • Attacks can be targeted at complex protocols • e.g. SMB (Server Message Block), MSRPC, SunRPC • In order to provide protection to a complex protocol, the IDS has to have a deep understanding of it • The IDS implementation also needs to be • Fault-tolerant • Resilient • Able to cope with excessive and unexpected connections and requests
TTL Attacks • For TTL attacks, attackers must have some knowledge of the internal network topology • Attackers must know the distance to the end host and whether an IDS is placed in front of the end host • By using a small TTL flag in a TCP packet, attackers can send packets that will only reach the IDS and not the end host • The IDS, in turn, will think the packet addressed to the end host will make it there • This allows attackers to inject garbage packets into the IDS stream processing • Example: • Packet 1: GET /cgi-bin/p TTL 15 • Packet 2: some_file.cgi?= TTL 10 • Packet 3: hf? TTL 15 • This assumes that the end host is beyond the 15 TTL limit and will receive the data • It also assumes that the IDS is within the 10-14 TTL limit, and any data lower than that will not reach the destination host • The IDS receives "GET /cgi-bin/psome_file.cgi?=hf?" • The end host will receive "GET /cgi-bin/phf?"
Urgency Flag • The urgency flag is used within the TCP protocol to mark data as urgent • When the urgency flag is set, all data before the urgency pointer is ignored, and the data to which the urgency pointer points is processed • Some IDSs do not take into account the TCP protocol's urgency feature • Attackers can place garbage data before the urgency pointer • The IDS reads that data without consideration for the end host's urgency flag handling • This means the IDS has more data than the end host actually processed • Example of an urgency flag attack: • "1 Byte data, next to Urgent data, will be lost, when Urgent data and normal data are combined." • Packet 1: ABC • Packet 2: DEF Urgency Pointer: 3 • Packet 3: GHI • End result: ABCDEFHI • According to the 1122 RFC, the urgency pointer causes one byte of data next to the urgent data to be lost when urgent data is combined with normal data
Polymorphic Shellcode • Most IDSs contain signatures for commonly used strings within shellcode • This is easily bypassed by using encoded shellcode containing a stub that decodes the shellcode that follows • This means that shellcode can be completely different each time it is sent • Polymorphic shellcode allows attackers to hide their shellcode by encrypting it in a simplistic form • It is difficult for IDSs to identify this data as shellcode • This method also hides the commonly used strings within shellcode, making shellcode signatures useless
ASCII Shellcode • Similar to polymorphic shellcode • ASCII shellcode contains only characters contained within the ASCII standard • This helps attackers bypass IDS pattern matching signatures as strings are hidden within the shellcode in a similar fashion to polymorphic shellcode • The following is an ASCII shellcode example: char shellcode[] = "LLLLYhb0pLX5b0pLHSSPPWQPPaPWSUTBRDJfh5tDS" "RajYX0Dka0TkafhN9fYf1Lkb0TkdjfY0Lkf0Tkgfh" "6rfYf1Lki0tkkh95h8Y1LkmjpY0Lkq0tkrh2wnuX1" "Dks0tkwjfX0Dkx0tkx0tkyCjnY0LkzC0TkzCCjtX0" "DkzC0tkzCj3X0Dkz0TkzC0tkzChjG3IY1LkzCCCC0" "tkzChpfcMX1DkzCCCC0tkzCh4pCnY1Lkz1TkzCCCC" "fhJGfXf1Dkzf1tkzCCjHX0DkzCCCCjvY0LkzCCCjd" "X0DkzC0TkzCjWX0Dkz0TkzCjdX0DkzCjXY0Lkz0tk" "zMdgvvn9F1r8F55h8pG9wnuvjrNfrVx2LGkG3IDpf" "cM2KgmnJGgbinYshdvD9d"; • When executed, the shellcode above executes a "/bin/sh" shell
Encryption and Tunneling • When the attacker manages to establish an encrypted tunnel to the target, IDS-es are evaded completely • Any sort of encrypted connection/tunneling works • SSH • SSL • IPSec • RDP • etc.
Application Hijacking • Application layer attacks enable many different forms of evasion • Many applications that deal with media such as images, video and audio employ some form of compression • When a flaw is found in these applications, the entire attack can occur within compressed data, and the IDS will have no way to check the compressed file format for signatures
Potential Solutions
Normalization • Normalization takes obfuscated input and attempts to translate it into what the end host will eventually see • This usually entails encoding in formats such as Unicode and UTF8 • The normalization process allows for encoding, translation and the application of pattern matching to the normalized data • Prevents attackers from obfuscating the attack strings using Unicode or UTF8 strings • Polymorphic shellcode & ASCII shellcode could circumvent this • Some IDSs are attempting to apply normalization to polymorphic shellcode • CPU intensive, which affects monitoring for the remaining network traffic • Normalization also applies to network data • Some IDSs normalize fragmented packets and reassemble them in the proper order • This enables the IDS to look at the information just as the end host will see it • In addition, some IDSs change the TTL field to a large number • This ensures that packets reach the end host
Packet Interpretation Based on Target Host • IDS-es are at a disadvantage • These systems attempt to recreate what the end host will see and handle • There are a lot of disparate methods of communicating data over a network • The end host's TCP/IP stack should be used (host-based IDS) • Better than trying to recreate the stream in a way that the stream may be handled • In using the host to do the work, the guessing portion of the task is eliminated • Another option: using modular TCP/IP stacks within an IDS • Using the stacks based on the targeted host's operating system. • Specific OS handling of anomalous traffic must be thoroughly reviewed • Effective in mitigating fragmentation, RST packet handling and Urgency Flags
Tools & Resources
Some free IDS out there… • ACARM-ng • AIDE (Advanced Intrusion Detection Environment) • Bro NIDS • Fail2ban • OSSEC (Open Source Host-based IDS) • Prelude SIEM (Security Information & Event Management) • Samhain • Snort • Suricata • Tripwire
…and some IDS evasion tools • Evader • Nmap • Nmap reference on IDS evasion • libemu • Kali Linux • Fragroute • Fragrouter • InTrace • SniffJoke • Other tools • Wireshark • HxD (hex editor/viewer)
Closing remarks
Upcoming Public Courses IT Security Awareness Seminar & ​Web Application Security Seminar Bucharest, 10-11 December 2015​ Troubleshooting Windows Infrastructure - From Zero to Hero Masterclass Bucharest, 11-15 January 2016 Paula Januszkiewicz is an IT Security Auditor and Penetration Tester, Enterprise Security MVP and trainer (MCT) and Microsoft Security Trusted Advisor. She is also a top-speaker on many well-known conferences (for example: TechEd North America, TechEd Europe, TechEd Middle East, RSA, TechDays, CyberCrime etc.) and writes articles on Windows Security. She proudly holds the role of the Security Architect at IDesign and she drives her own company CQURE. She conducted hundreds of IT security audits and penetration tests, including governmental organizations. Her distinct specialization is definitely on Microsoft security solutions in which she holds multiple Microsoft certifications (MCITP, MCTS, MCSE, MCDBA etc.) besides being familiar and possessing certifications with other related technologies. Paula is passionate about sharing her knowledge with others. In private, she enjoys researching new technologies, which she converts to authored trainings. She has access to a source code of Windows.
Your Technology Business Partner
Tudor Damian General Manager & IT Solutions Specialist @ Transcent Operations Manager & Partner @ Avaelgo Co-founder @ ITCamp & ITCamp Community • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Cloud & Datacenter Management MVP (Microsoft) Contact: tudy@tudy.ro / www.tudy.tel

Recommended

Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 

Recommended

Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Remote access service
Remote access serviceRemote access service
Remote access service
Apoorw Pandey
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication header
Faizan Shaikh
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocols
JUW Jinnah University for Women
 
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLSMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
Vidhu Arora
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Cs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT VCs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT V
pkaviya
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Email hacking
Email hackingEmail hacking
Email hacking
ShreyaBhoje
 
Snort
SnortSnort
Snort
Stickman Hai
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
MD. SHORIFUL ISLAM
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Kunal Thakur
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Qazi Anwar
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Web twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24ppWeb twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24pp
johnnybouchier
 
El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.
antara information technology
 

More Related Content

What's hot

Remote access service
Remote access serviceRemote access service
Remote access service
Apoorw Pandey
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
Nasir Bhutta
 
Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication header
Faizan Shaikh
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocols
JUW Jinnah University for Women
 
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLSMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
Vidhu Arora
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Cs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT VCs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT V
pkaviya
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Email hacking
Email hackingEmail hacking
Email hacking
ShreyaBhoje
 
Snort
SnortSnort
Snort
Stickman Hai
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
MD. SHORIFUL ISLAM
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Kunal Thakur
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Qazi Anwar
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 

What's hot (20)

Remote access service
Remote access serviceRemote access service
Remote access service
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Tcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication headerTcp header/IP Header/Authentication header
Tcp header/IP Header/Authentication header
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocols
 
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLSMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOL
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
System hacking
System hackingSystem hacking
System hacking
 
Cs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT VCs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT V
 
Ipsec
IpsecIpsec
Ipsec
 
Email hacking
Email hackingEmail hacking
Email hacking
 
Snort
SnortSnort
Snort
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 

Viewers also liked

Web twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24ppWeb twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24pp
johnnybouchier
 
El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.
antara information technology
 
GIS AUTOMATION
GIS AUTOMATIONGIS AUTOMATION
GIS AUTOMATION
William Francis
 
Correo electrónico Cloud Hosting
Correo electrónico Cloud HostingCorreo electrónico Cloud Hosting
Correo electrónico Cloud Hosting
webcomunicaciones
 
Pou taller autodiagnostico
Pou taller autodiagnosticoPou taller autodiagnostico
Pou taller autodiagnostico
paulandres25
 
Normetal - educación, cultura y turismo
Normetal - educación, cultura y turismoNormetal - educación, cultura y turismo
Normetal - educación, cultura y turismo
Normetal
 
Phtv Remember When Psa
Phtv Remember When PsaPhtv Remember When Psa
Phtv Remember When Psa
pharkins
 
Bpi Sales Presentation
Bpi Sales PresentationBpi Sales Presentation
Bpi Sales Presentation
alandavis
 
Cobertura de eventos
Cobertura de eventosCobertura de eventos
Cobertura de eventos
arrava
 
Novagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
Novagob 2015 ConRed Nuevos Marcos Para la Participacion CiudadanaNovagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
Novagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
Conred Santa Cruz
 
Open Cloud Storage @ OpenStack Summit Paris
Open Cloud Storage @ OpenStack Summit ParisOpen Cloud Storage @ OpenStack Summit Paris
Open Cloud Storage @ OpenStack Summit Paris
it-novum
 
Procesoeducativoyparadigmas
ProcesoeducativoyparadigmasProcesoeducativoyparadigmas
Procesoeducativoyparadigmas
rociel94_1
 
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
Invierta Jujuy
 
Metodo de consultoria en spingen para sfa oql
Metodo de consultoria en spingen para sfa oqlMetodo de consultoria en spingen para sfa oql
Metodo de consultoria en spingen para sfa oql
INNOVO USACH
 
Wissensmanagement mit semantischen Wikis
Wissensmanagement mit semantischen WikisWissensmanagement mit semantischen Wikis
Wissensmanagement mit semantischen Wikis
Bernhard Krabina
 
Proxecto meteoescolas no ies francisco asorey
Proxecto meteoescolas no ies francisco asoreyProxecto meteoescolas no ies francisco asorey
Proxecto meteoescolas no ies francisco asoreyiesasorey
 
Syllabus enci mate ii 2014 l
Syllabus enci mate ii 2014 lSyllabus enci mate ii 2014 l
Syllabus enci mate ii 2014 l
David Narváez
 
Simpligrab
SimpligrabSimpligrab
Simpligrab
KAUSHIK PUNYAURTHULA
 
1. atr42 uso de hoja de carga mecanizada
1. atr42 uso de hoja de carga mecanizada1. atr42 uso de hoja de carga mecanizada
1. atr42 uso de hoja de carga mecanizada
SwiftAir S.A.
 
Co(m)versa Presentacion Corporativa
Co(m)versa Presentacion CorporativaCo(m)versa Presentacion Corporativa
Co(m)versa Presentacion Corporativa
sergiorivascomversa
 

Viewers also liked (20)

Web twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24ppWeb twc newsletter autumn 2012 24pp
Web twc newsletter autumn 2012 24pp
 
El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.El impacto de la Inteligencia Competitiva en la PYME.
El impacto de la Inteligencia Competitiva en la PYME.
 
GIS AUTOMATION
GIS AUTOMATIONGIS AUTOMATION
GIS AUTOMATION
 
Correo electrónico Cloud Hosting
Correo electrónico Cloud HostingCorreo electrónico Cloud Hosting
Correo electrónico Cloud Hosting
 
Pou taller autodiagnostico
Pou taller autodiagnosticoPou taller autodiagnostico
Pou taller autodiagnostico
 
Normetal - educación, cultura y turismo
Normetal - educación, cultura y turismoNormetal - educación, cultura y turismo
Normetal - educación, cultura y turismo
 
Phtv Remember When Psa
Phtv Remember When PsaPhtv Remember When Psa
Phtv Remember When Psa
 
Bpi Sales Presentation
Bpi Sales PresentationBpi Sales Presentation
Bpi Sales Presentation
 
Cobertura de eventos
Cobertura de eventosCobertura de eventos
Cobertura de eventos
 
Novagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
Novagob 2015 ConRed Nuevos Marcos Para la Participacion CiudadanaNovagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
Novagob 2015 ConRed Nuevos Marcos Para la Participacion Ciudadana
 
Open Cloud Storage @ OpenStack Summit Paris
Open Cloud Storage @ OpenStack Summit ParisOpen Cloud Storage @ OpenStack Summit Paris
Open Cloud Storage @ OpenStack Summit Paris
 
Procesoeducativoyparadigmas
ProcesoeducativoyparadigmasProcesoeducativoyparadigmas
Procesoeducativoyparadigmas
 
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
1era. jornada de mercado de capitales jujuy .- Dr. Juan Otero CNV
 
Metodo de consultoria en spingen para sfa oql
Metodo de consultoria en spingen para sfa oqlMetodo de consultoria en spingen para sfa oql
Metodo de consultoria en spingen para sfa oql
 
Wissensmanagement mit semantischen Wikis
Wissensmanagement mit semantischen WikisWissensmanagement mit semantischen Wikis
Wissensmanagement mit semantischen Wikis
 
Proxecto meteoescolas no ies francisco asorey
Proxecto meteoescolas no ies francisco asoreyProxecto meteoescolas no ies francisco asorey
Proxecto meteoescolas no ies francisco asorey
 
Syllabus enci mate ii 2014 l
Syllabus enci mate ii 2014 lSyllabus enci mate ii 2014 l
Syllabus enci mate ii 2014 l
 
Simpligrab
SimpligrabSimpligrab
Simpligrab
 
1. atr42 uso de hoja de carga mecanizada
1. atr42 uso de hoja de carga mecanizada1. atr42 uso de hoja de carga mecanizada
1. atr42 uso de hoja de carga mecanizada
 
Co(m)versa Presentacion Corporativa
Co(m)versa Presentacion CorporativaCo(m)versa Presentacion Corporativa
Co(m)versa Presentacion Corporativa
 

Similar to IDS Evasion Techniques

Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
UTD Computer Security Group
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
Network security
Network security Network security
Network security
Vikas Jagtap
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
Tapas Shome
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
Shmulik Avidan
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Day4
Day4Day4
Day4
Jai4uk
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
ibnu mubarok
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParasPatel967737
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
KalsoomTahir2
 
shivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjfshivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjf
sahushivam4928
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParvezAhmed59842
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
9921103075
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
ahmeddeath6
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 

Similar to IDS Evasion Techniques (20)

Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
Network security
Network security Network security
Network security
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Day4
Day4Day4
Day4
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
shivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjfshivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 

More from Tudor Damian

Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Tudor Damian
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
Tudor Damian
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
Microsoft Azure Stack
Microsoft Azure StackMicrosoft Azure Stack
Microsoft Azure Stack
Tudor Damian
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
Tudor Damian
 
Azure Site Recovery and System Center
Azure Site Recovery and System Center Azure Site Recovery and System Center
Azure Site Recovery and System Center
Tudor Damian
 
Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2
Tudor Damian
 
What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2
Tudor Damian
 
Comparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware CloudComparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware Cloud
Tudor Damian
 
What's new in Windows 8
What's new in Windows 8What's new in Windows 8
What's new in Windows 8
Tudor Damian
 
Linux on Hyper-V
Linux on Hyper-VLinux on Hyper-V
Linux on Hyper-V
Tudor Damian
 
Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the Ugly
Tudor Damian
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 Overview
Tudor Damian
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
Tudor Damian
 
Hosting your virtual private cloud
Hosting your virtual private cloudHosting your virtual private cloud
Hosting your virtual private cloud
Tudor Damian
 
Linux sub Hyper-V R2
Linux sub Hyper-V R2Linux sub Hyper-V R2
Linux sub Hyper-V R2
Tudor Damian
 
White Hat Hacking #3
White Hat Hacking #3White Hat Hacking #3
White Hat Hacking #3
Tudor Damian
 

More from Tudor Damian (20)

Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Microsoft Azure Stack
Microsoft Azure StackMicrosoft Azure Stack
Microsoft Azure Stack
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
 
Azure Site Recovery and System Center
Azure Site Recovery and System Center Azure Site Recovery and System Center
Azure Site Recovery and System Center
 
Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2Upgrading your Private Cloud to Windows Server 2012 R2
Upgrading your Private Cloud to Windows Server 2012 R2
 
What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2What's new in Hyper-V 2012 R2
What's new in Hyper-V 2012 R2
 
Comparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware CloudComparing MS Cloud with VMware Cloud
Comparing MS Cloud with VMware Cloud
 
What's new in Windows 8
What's new in Windows 8What's new in Windows 8
What's new in Windows 8
 
Linux on Hyper-V
Linux on Hyper-VLinux on Hyper-V
Linux on Hyper-V
 
Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the Ugly
 
Hyper-V 3.0 Overview
Hyper-V 3.0 OverviewHyper-V 3.0 Overview
Hyper-V 3.0 Overview
 
BOI 2011 - Be what's next
BOI 2011 - Be what's nextBOI 2011 - Be what's next
BOI 2011 - Be what's next
 
Hosting your virtual private cloud
Hosting your virtual private cloudHosting your virtual private cloud
Hosting your virtual private cloud
 
Linux sub Hyper-V R2
Linux sub Hyper-V R2Linux sub Hyper-V R2
Linux sub Hyper-V R2
 
White Hat Hacking #3
White Hat Hacking #3White Hat Hacking #3
White Hat Hacking #3
 

Recently uploaded

20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

IDS Evasion Techniques

  • 1. IDS Evasion Techniques DefCamp 2015 Bucharest, Nov 19th-20th 2015
  • 2. Tudor Damian General Manager & IT Solutions Specialist @ Transcent Operations Manager & Partner @ Avaelgo Co-founder @ ITCamp & ITCamp Community • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Cloud & Datacenter Management MVP (Microsoft) Contact: tudy@tudy.ro / www.tudy.tel
  • 4. Fair Warning • There’s more content that we can realistically cover before lunch  • We’re only aiming for a high-level overview here, not an in-depth dive • No need to take notes, you’ll get the slides anyway 
  • 5. IDS Evasion Techniques Brief Overview • From CIDF to RFC 4765 • Physical, Network and Host IDS/IPS • NIDS design considerations & problems Some Advanced Evasion Techniques (AETs) • Obfuscation (Insertion, Evasion, Session Splicing, Fragmentation) • Denial of Service (DoS) & False Positive Generation • Pattern-Matching Weaknesses • Protocol Violation, TTL Attacks, Urgency Flag • Polymorphic & ASCII Shellcode • Encryption and Tunneling • Application Hijacking Potential Solutions • Normalization • Packet Interpretation Based on Target Host Tools & Resources
  • 7. From CIDF to RFC 4765 • Common Intrusion Detection Framework (CIDF) • An old (late 90s) attempt by DARPA (US govt's Defense Advanced Research Projects Agency) to develop an IDS interchange format • Started as a research project, currently dormant • CIDF components that together define an Intrusion Detection System: • E-boxes - event generators (sniffers, monitors) • A-boxes - analysis engines (signature matchers) • D-boxes - storage mechanisms (loggers) • C-boxes - countermeasures (alarms, firewalls) • The IETF (Internet Engineering Task Force) more recently (2007) started work on a common format (RFC 4765): • http://www.ietf.org/rfc/rfc4765.txt
  • 8. Physical IDS • Security Guards • Security Cameras • Access Control Systems (Card, Biometric) • Firewalls • Man Traps • Motion Sensors Not talking about these today 
  • 9. Network & Host IDS/IPS • NIDS – Network Intrusion Detection System • Using a network tap, span port, or hub collects packets on the network • Attempts to identify unauthorized, illicit, and anomalous behavior based on network traffic • Methods: signature file comparisons, anomaly detection, stateful protocol analysis • Using the captured data, the IDS system processes and flags any suspicious traffic • HIDS – Host Intrusion Detection System • Generally involves an agent installed on each system, monitoring and alerting on local OS and application activity • Attempts to identify unauthorized, illicit, and anomalous behavior on a specific device/OS • The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity • IDS vs IPS? • An IDS only has passive role (identify, log and alert) • An IPS also blocks network traffic
  • 10. NIDS Design Considerations • Logical Target of Attacks • Each component a potential point of vulnerability and hence attacks • Possible Attacks on their • “Availability” (total shutdown) • “Accuracy” (false positives) • “Completeness” (false negatives) • Need to be Reliable, Robust • Avoid false sense of security • There’s no IDS out there with 100% accuracy • They all generate both false positives and false negatives
  • 11. Problems with NIDS • Passive Network Monitors • Inherently “fail-open” • Cease to provide protection when subverted • Vulnerability to Denial of Service • Process all flows to all protected end-systems • Being complex systems require lots of resources • Resource starvation problem is not easily solvable • Insufficient Information on the Wire • Not enough to correctly reconstruct the state of complex protocol transactions like it is done at the end-systems • Diversity in Protocol Implementations • Packet processing differs across end-systems • Leads to ambiguous interpretations • Unknown Internal Network Conditions • Topology, router configs, traffic congestion, etc.
  • 13. Advanced Evasion Techniques (AETs) • Delivered in a highly liberal way • Security devices are designed in a conservative way • Employ rarely used protocol properties • Use unusual combinations • Create network traffic that disregards strict protocol specifications • Exploit the technical and inspection limitations of security devices: memory capacity, performance optimization, design flaws
  • 14. Some of the most common attacks against NIDS • Insertion • Stuffing the analyzer with “invalid” packets • Evasion • Slipping “valid” packets past the analyzer • Denial of Service (DoS) • Causing resource starvation and overloading the IDS • Pattern-matching weaknesses • Exploiting pattern-based detection approach employed by most IDS • Pattern-matching weaknesses • Encryption and tunneling • SSL, SSH, IPSec, etc. • Fragmentation • Breaking the attack into multiple packets • Protocol violation • Attacks targeted at complex protocol (e.g. SMB) • File Locations and Integrity • Circumventing triggers in HIDS • Application Hijacking • If done correctly few HIDS will detect it, while NIDS usually skip the application layer completely
  • 15. Insertion Occurs when the NIDS is less strict in processing packets than the internal network NIDS accepts packets that the end system rejects or doesn’t even receive Attacker’s data stream NIDS data stream Accepts 3rd packet which overwrites 2nd packet data Interprets ATXACK End system data stream Rejects 3rd packet for some reason (or doesn’t even receive it, i.e. TTL) Interprets ATTACK 2 3 3 5 4 1 6 T T X C A A K 1 2 3 3 4 5 6 A T T X A C K 1 2 3 3 4 5 6 A T T X A C K
  • 16. Evasion Occurs when the NIDS is more strict in processing packets than the internal network An end-system can accept packets that the NIDS rejects Attacker’s data stream NIDS data stream Rejects 3rd packet for some reason and sees ATXACK End system data stream Accepts 3rd packet which overwrites 2nd packet Interprets ATTACK 2 3 3 5 4 1 6 T X T C A A K 1 2 3 3 4 5 6 A T X T A C K 1 2 3 3 4 5 6 A T X T A C K
  • 17. Real insertion / evasion attacks • Mostly exploit basic network and protocol ambiguities at the NIDS • Ambiguous interpretation of header fields • Ambiguous handling of header options • Ambiguous fragment/segment reassembly • NIDS and the end-system get different views of the same data stream • Ambiguities cause NIDS to accept/reject packets differently than the end-systems • Differences in protocol implementations • Non-conformance to Protocol Standards • Every OS has a different protocol stack • End-system and router configurations • Application/Socket level options
  • 18. NIDS ambiguities - examples Related field Ambiguity (problem) for the NIDS TTL Will the packet reach the end-system before TTL becomes 0? Length, DF Will all downstream links be able to transmit this big packet without fragmenting it (Don’t Fragment -DF- bit set)? IP Option(s) Will the end-system/routers accept packet with specific IP option(s)? E.g. (Strict) Source Route option TCP Option(s) Will the end-system accept packets with specific TCP option(s)? Data Will the end-system accept data in a SYN packet? ToS Does the packet conform to all internal routers (DiffServ)? IP Frag Offset How will the end-system reassemble overlapping fragments? TCP Seq No How will the end-system reassemble overlapping segments?
  • 19. Session Splicing • Technique used to bypass IDS where an attacker splits the attack traffic into many packets such that no single packet triggers the IDS • It is effective against IDS-es that do not reconstruct packets before checking them again through intrusion signatures • If attackers are aware of delays in packet reassembly at the IDS, they can add delays between packet transmissions to bypass the reassembly • Many IDS-es stop reassembly if they do not receive packets within a certain time • IDS-es become useless if the target host keeps sessions active for a longer time than the IDS reassembly time • Any attack attempt after a successful splicing attack will not be logged by the IDS
  • 20. Fragmentation • Similar to Session Splicing • Attackers send packets in blocks that do not trigger IDS signatures or cause alerts • Generally more powerful than Session Splicing • Two common fragmentation methods • One method overwrites a section of a previous fragment • The second method overwrites a complete fragment • Enables attackers to write an entire packet of garbage information and craft their attack to blend in with standard protocols • Some IDSs do have ways to handle these attacks through reassembly
  • 21. Fragmentation - examples Attack 1: Overlap Method • Packet 1: GET /cgi-bin/ • Packet 2: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phxx • Packet 3: f? • This example of fragmentation can overwrite the 'xx' portion of Packet 2 with the data in Packet 3, making the information resemble the following: • GET /cgi-bin/ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../phf? Attack 2: Overwrite Method • Packet 1: GET /cgi-bin/ • Packet 2: some_normal_filename.cgi • Packet 3: /aaa/../aaa/../aaa/../phxx • Packet 4: f? • This example is similar to the first, but in this example, the 'xx' portion is overwritten and the some_normal_filename.cgi packet is completely overwritten with the last two packets • This leaves GET /cgi-bin/phf? as the end result.
  • 22. Denial of Service (DoS) & False Positive Generation • Basic problem • NIDS needs to simulate the operation of all protected end-systems and internal network • Scarce Resources (CPU cycles, memory, disk space, bandwidth) • Usually working in a “fail-open” state • CPU DoS (target computationally expensive operations) • Fragment/Segment reassembly • Encryption/Decryption • Memory DoS (target state management operations) • TCP 3-way Handshake (TCP Control Block - TCB) • Fragment/Segment reassembly • Network Bandwidth DoS (target NIDS’s inability to process packets at line speed) • Reactive Systems DoS • Trigger lots of alarms (false positives) • Prevent valid access by spoofed addresses • Hide real attacks
  • 23. Pattern-Matching Weaknesses • Most IDS solutions employ a pattern-based detection component • This approach is problematic, because not all input needs to be the same to trigger vulnerabilities • Example pattern: • GET /cgi-bin/phf? • Obfuscation: • GET /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%25%2fp%68f? • Both versions result in the same output, yet look very different • Unicode evasion can also be used here • e.g. can be represented as 5C, C19C and E0819C
  • 24. Protocol Violation • Attacks can be targeted at complex protocols • e.g. SMB (Server Message Block), MSRPC, SunRPC • In order to provide protection to a complex protocol, the IDS has to have a deep understanding of it • The IDS implementation also needs to be • Fault-tolerant • Resilient • Able to cope with excessive and unexpected connections and requests
  • 25. TTL Attacks • For TTL attacks, attackers must have some knowledge of the internal network topology • Attackers must know the distance to the end host and whether an IDS is placed in front of the end host • By using a small TTL flag in a TCP packet, attackers can send packets that will only reach the IDS and not the end host • The IDS, in turn, will think the packet addressed to the end host will make it there • This allows attackers to inject garbage packets into the IDS stream processing • Example: • Packet 1: GET /cgi-bin/p TTL 15 • Packet 2: some_file.cgi?= TTL 10 • Packet 3: hf? TTL 15 • This assumes that the end host is beyond the 15 TTL limit and will receive the data • It also assumes that the IDS is within the 10-14 TTL limit, and any data lower than that will not reach the destination host • The IDS receives "GET /cgi-bin/psome_file.cgi?=hf?" • The end host will receive "GET /cgi-bin/phf?"
  • 26. Urgency Flag • The urgency flag is used within the TCP protocol to mark data as urgent • When the urgency flag is set, all data before the urgency pointer is ignored, and the data to which the urgency pointer points is processed • Some IDSs do not take into account the TCP protocol's urgency feature • Attackers can place garbage data before the urgency pointer • The IDS reads that data without consideration for the end host's urgency flag handling • This means the IDS has more data than the end host actually processed • Example of an urgency flag attack: • "1 Byte data, next to Urgent data, will be lost, when Urgent data and normal data are combined." • Packet 1: ABC • Packet 2: DEF Urgency Pointer: 3 • Packet 3: GHI • End result: ABCDEFHI • According to the 1122 RFC, the urgency pointer causes one byte of data next to the urgent data to be lost when urgent data is combined with normal data
  • 27. Polymorphic Shellcode • Most IDSs contain signatures for commonly used strings within shellcode • This is easily bypassed by using encoded shellcode containing a stub that decodes the shellcode that follows • This means that shellcode can be completely different each time it is sent • Polymorphic shellcode allows attackers to hide their shellcode by encrypting it in a simplistic form • It is difficult for IDSs to identify this data as shellcode • This method also hides the commonly used strings within shellcode, making shellcode signatures useless
  • 28. ASCII Shellcode • Similar to polymorphic shellcode • ASCII shellcode contains only characters contained within the ASCII standard • This helps attackers bypass IDS pattern matching signatures as strings are hidden within the shellcode in a similar fashion to polymorphic shellcode • The following is an ASCII shellcode example: char shellcode[] = "LLLLYhb0pLX5b0pLHSSPPWQPPaPWSUTBRDJfh5tDS" "RajYX0Dka0TkafhN9fYf1Lkb0TkdjfY0Lkf0Tkgfh" "6rfYf1Lki0tkkh95h8Y1LkmjpY0Lkq0tkrh2wnuX1" "Dks0tkwjfX0Dkx0tkx0tkyCjnY0LkzC0TkzCCjtX0" "DkzC0tkzCj3X0Dkz0TkzC0tkzChjG3IY1LkzCCCC0" "tkzChpfcMX1DkzCCCC0tkzCh4pCnY1Lkz1TkzCCCC" "fhJGfXf1Dkzf1tkzCCjHX0DkzCCCCjvY0LkzCCCjd" "X0DkzC0TkzCjWX0Dkz0TkzCjdX0DkzCjXY0Lkz0tk" "zMdgvvn9F1r8F55h8pG9wnuvjrNfrVx2LGkG3IDpf" "cM2KgmnJGgbinYshdvD9d"; • When executed, the shellcode above executes a "/bin/sh" shell
  • 29. Encryption and Tunneling • When the attacker manages to establish an encrypted tunnel to the target, IDS-es are evaded completely • Any sort of encrypted connection/tunneling works • SSH • SSL • IPSec • RDP • etc.
  • 30. Application Hijacking • Application layer attacks enable many different forms of evasion • Many applications that deal with media such as images, video and audio employ some form of compression • When a flaw is found in these applications, the entire attack can occur within compressed data, and the IDS will have no way to check the compressed file format for signatures
  • 32. Normalization • Normalization takes obfuscated input and attempts to translate it into what the end host will eventually see • This usually entails encoding in formats such as Unicode and UTF8 • The normalization process allows for encoding, translation and the application of pattern matching to the normalized data • Prevents attackers from obfuscating the attack strings using Unicode or UTF8 strings • Polymorphic shellcode & ASCII shellcode could circumvent this • Some IDSs are attempting to apply normalization to polymorphic shellcode • CPU intensive, which affects monitoring for the remaining network traffic • Normalization also applies to network data • Some IDSs normalize fragmented packets and reassemble them in the proper order • This enables the IDS to look at the information just as the end host will see it • In addition, some IDSs change the TTL field to a large number • This ensures that packets reach the end host
  • 33. Packet Interpretation Based on Target Host • IDS-es are at a disadvantage • These systems attempt to recreate what the end host will see and handle • There are a lot of disparate methods of communicating data over a network • The end host's TCP/IP stack should be used (host-based IDS) • Better than trying to recreate the stream in a way that the stream may be handled • In using the host to do the work, the guessing portion of the task is eliminated • Another option: using modular TCP/IP stacks within an IDS • Using the stacks based on the targeted host's operating system. • Specific OS handling of anomalous traffic must be thoroughly reviewed • Effective in mitigating fragmentation, RST packet handling and Urgency Flags
  • 35. Some free IDS out there… • ACARM-ng • AIDE (Advanced Intrusion Detection Environment) • Bro NIDS • Fail2ban • OSSEC (Open Source Host-based IDS) • Prelude SIEM (Security Information & Event Management) • Samhain • Snort • Suricata • Tripwire
  • 36. …and some IDS evasion tools • Evader • Nmap • Nmap reference on IDS evasion • libemu • Kali Linux • Fragroute • Fragrouter • InTrace • SniffJoke • Other tools • Wireshark • HxD (hex editor/viewer)
  • 38. Upcoming Public Courses IT Security Awareness Seminar & ​Web Application Security Seminar Bucharest, 10-11 December 2015​ Troubleshooting Windows Infrastructure - From Zero to Hero Masterclass Bucharest, 11-15 January 2016 Paula Januszkiewicz is an IT Security Auditor and Penetration Tester, Enterprise Security MVP and trainer (MCT) and Microsoft Security Trusted Advisor. She is also a top-speaker on many well-known conferences (for example: TechEd North America, TechEd Europe, TechEd Middle East, RSA, TechDays, CyberCrime etc.) and writes articles on Windows Security. She proudly holds the role of the Security Architect at IDesign and she drives her own company CQURE. She conducted hundreds of IT security audits and penetration tests, including governmental organizations. Her distinct specialization is definitely on Microsoft security solutions in which she holds multiple Microsoft certifications (MCITP, MCTS, MCSE, MCDBA etc.) besides being familiar and possessing certifications with other related technologies. Paula is passionate about sharing her knowledge with others. In private, she enjoys researching new technologies, which she converts to authored trainings. She has access to a source code of Windows.
  • 40. Tudor Damian General Manager & IT Solutions Specialist @ Transcent Operations Manager & Partner @ Avaelgo Co-founder @ ITCamp & ITCamp Community • Certified Ethical Hacker (EC-Council) • Certified Security Professional (CQURE) • Cloud & Datacenter Management MVP (Microsoft) Contact: tudy@tudy.ro / www.tudy.tel