Re: RPC/TCP Record Marking for IDS Evasion

From: Robert Freeman (freem100@chapman.edu)
Date: 01/11/02


From: "Robert Freeman" <freem100@chapman.edu>
To: <diphen@agitation.net>, <vuln-dev@securityfocus.com>
Date: Thu, 10 Jan 2002 23:52:50 -0800


> So... The obvious question: What's an IDS that doesn't fully process RPC
> going to do if I split up my, say, buffer overflow, across 2 RPC
> Fragments?

It's not a new method, though you are right about its effect. I would be
curious to know how widely used this technique is.