Re: sidestep

• Next in thread: Randy Taylor: "Re: sidestep"
• Maybe reply: Randy Taylor: "Re: sidestep"
• Maybe reply: Jill Tovey: "RE: sidestep"
• Maybe reply: Golomb, Gary: "RE: sidestep"
• Reply: Brian: "Re: sidestep"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ids@securityfocus.com
Date: 29 Apr 2003 13:28:54 +0100

Okay,

Thanks for the responses so far.

I am tackling how the RPC attack works first.

First of all I send the RPC request in normal mode.
This gets detected by snort with the following output:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

TCP TTL:128 TOS:0x0 ID:8585 IpLen:20 DgmLen:84 DF
***AP*** Seq: 0xBE7826F7 Ack: 0x34F8656C Win: 0x4470 TcpLen: 20
80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

So I then try sidestep in -evade mode.
It gets detected by snort anyway, as someone already mentioned, this is
probably because sidestep is older than my snort rules.

[**] RPC portmap listing [**]
04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111
TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20
80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................
00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................
00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................
00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................
01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................
00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................
00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................
00 01 00 80 00 00 01 00 ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Anyway, as you can see the packet data is very different, but the first
44 bytes are the same, this is probably why snort is detecting the
attack.
So would anyone like to attempt an explanation as to how this tries to
evade snort?

Any comments much appreciated,

Cheers

-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------

• Next in thread: Randy Taylor: "Re: sidestep"
• Maybe reply: Randy Taylor: "Re: sidestep"
• Maybe reply: Jill Tovey: "RE: sidestep"
• Maybe reply: Golomb, Gary: "RE: sidestep"
• Reply: Brian: "Re: sidestep"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]