RE: On IDS Evasion, Vulnerabilities, and Vendor Hype

From: Marc Maiffret (marc@eeye.com)
Date: 10/04/01


From: "Marc Maiffret" <marc@eeye.com>
To: "Eric Hacker" <hacker@vudu.net>, "IDS Focus" <FOCUS-IDS@SECURITYFOCUS.COM>, "IDS List" <ids@uow.edu.au>, <bugtraq@securityfocus.com>
Subject: RE: On IDS Evasion, Vulnerabilities, and Vendor Hype
Date: Thu, 4 Oct 2001 09:21:17 -0700
Message-ID: <MKEAIJIPCGAHEFEJGDOCGEFPCBAA.marc@eeye.com>


| -----Original Message-----
| From: Eric Hacker [mailto:hacker@vudu.net]
| Sent: Wednesday, October 03, 2001 7:21 PM
| To: IDS Focus; IDS List; bugtraq@securityfocus.com
| Subject: On IDS Evasion, Vulnerabilities, and Vendor Hype
<snip>
|
| Vendor Hype
|
| Eeye cast the first stone with their advisory %u encoding IDS bypass
| vulnerability (http://www.securityfocus.com/advisories/3552).
| Certainly the issue that Eeye discovered is an important one and
| needed to be made public. The practice of marketing an organizationís
| name through advisories is what is not necessary.
| <snip>
| Peace,
| Eric Hacker, CISSP, GCIA, MCSE, CCSE
| Network Security Consultant
| Email: hacker@vudu.net
<snip>

While I agree in the past we have "marketed" in our advisories, as a means
of supporting our research which is done completely for free. I really can
not think of marketing that we did concerning the %u encoding. That had to
be one of our "quietest" advisories ever. The only thing we did was release
our advisory (which _needed_ to be released as you can agree) to a few
security mailing lists.

Encoding attacks will always plague NIDS simply because they can never
completely emulate the environment that they are designed to protect. These
types of attacks are not new nor did we attack to say that %u was ground
breaking researcher or anything. It was a specific problem in a lot of IDS
products, a problem that needed to be addressed.

thanks

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities



Relevant Pages