The last week of March, SANS Institute published "Beating the IPS". This report shows us different IPS evasion techniques manipulating the payload, header, and traffic flow of a well-known attack.
The target is evading detection by widely used products from major security vendors like Cisco, Check Point, Fortinet, Paloalto, TippingPoint and Snort trying to take advantage of MS08-067(http://technet.microsoft.com/en-us/security/bulletin/ms08-067), used by Conficker some years ago...
You can download the report by clicking on this link: http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137
The report's conclusion indicates the efficiency against the automatic attack, however, when we have a custom attack, the situation changes...
All vendors were bypassed using the default IPS settings except one: Checkpoint
The Sans's report recommends blocking Null sessions if we do not need them, and keep an eye on your IPS alerts.
Subscribe to:
Post Comments (Atom)
About Me
Popular Posts
-
Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of g...
-
You already know that the malware developers create packed executables in order to try to thwart the security analyst job and make a ligh...
-
When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one...
-
Introduction Wordpress is the CMS most used Worldwide. According to w3techs.com WordPress is used by 61.1% of all the websites whose con...
-
Introduction Some months ago, I reported to the Fortinet PSIRT team two vulnerabilities which affect different Fortigate firmware version...
Behind The Firewalls. Powered by Blogger.
0 comments:
Post a Comment