RE: On IDS Evasion, Vulnerabilities, and Vendor Hype

From: Marc Maiffret (
Date: 10/04/01

From: "Marc Maiffret" <>
To: "Eric Hacker" <>, "IDS Focus" <FOCUS-IDS@SECURITYFOCUS.COM>, "IDS List" <>, <>
Subject: RE: On IDS Evasion, Vulnerabilities, and Vendor Hype
Date: Thu, 4 Oct 2001 09:21:17 -0700
Message-ID: <>

| -----Original Message-----
| From: Eric Hacker []
| Sent: Wednesday, October 03, 2001 7:21 PM
| To: IDS Focus; IDS List;
| Subject: On IDS Evasion, Vulnerabilities, and Vendor Hype
| Vendor Hype
| Eeye cast the first stone with their advisory %u encoding IDS bypass
| vulnerability (
| Certainly the issue that Eeye discovered is an important one and
| needed to be made public. The practice of marketing an organizationís
| name through advisories is what is not necessary.
| <snip>
| Peace,
| Eric Hacker, CISSP, GCIA, MCSE, CCSE
| Network Security Consultant
| Email:

While I agree in the past we have "marketed" in our advisories, as a means
of supporting our research which is done completely for free. I really can
not think of marketing that we did concerning the %u encoding. That had to
be one of our "quietest" advisories ever. The only thing we did was release
our advisory (which _needed_ to be released as you can agree) to a few
security mailing lists.

Encoding attacks will always plague NIDS simply because they can never
completely emulate the environment that they are designed to protect. These
types of attacks are not new nor did we attack to say that %u was ground
breaking researcher or anything. It was a specific problem in a lot of IDS
products, a problem that needed to be addressed.


Marc Maiffret
Chief Hacking Officer
eEye Digital Security
F.949.349.9538 - Network Security Scanner - Network Traffic Analyzer - Stop known and unknown IIS vulnerabilities

Relevant Pages