The last week of March, SANS Institute published "Beating the IPS". This report shows us different IPS evasion techniques manipulating the payload, header, and traffic flow of a well-known attack.

The target is evading detection by widely used products from major security vendors like Cisco, Check Point, Fortinet, Paloalto, TippingPoint and Snort trying to take advantage of MS08-067(http://technet.microsoft.com/en-us/security/bulletin/ms08-067), used by Conficker some years ago...




You can download the report by clicking on this link: http://www.sans.org/reading_room/whitepapers/intrusion/beating-ips_34137

The report's conclusion indicates the efficiency against the automatic attack, however, when we have a custom attack, the situation changes...

All vendors were bypassed using the default IPS settings except one: Checkpoint

The Sans's report recommends blocking Null sessions if we do not need them, and keep an eye on your IPS alerts.