bypassingintrusiondetectionsystems

bypassingintrusiondetectionsystems内容摘要：

IDS WWW Segment with MTU = 1300 1350 byte packet with DF = 1 Bypassing NIDS HTTP Proto • „/‟ padding: “/cgibin///phf” • Self referencing directories: “/cgi bin/./phf” • URL Encoding: “%2fcgibin/phf” • Reverse Traversal: “/cgibin/here/../phf” • TAB instead of spaces removal • DOS/Win syntax: “/cgibin\phf” • Null method: “GET%00/cgibin/phf” Bypassing NIDS Tel Proto • Strip out Tel codes • Automatic proxies which add random characters followed by backspace –“su X{backspace}root” Bypassing NIDS Resources • Tools – Whisker Rain Forest Puppy – Fragrouter Dug Song – Congestant horizon, Phrack 54 • Papers – “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham – Bro information: Bypassing HIDS Kernel Hacks • Windows NT – 4 byte patch that removes all security restrictions from objects within the NT domain. – Could use access to disable or manipulate HIDS • Linux “” kernel module not in /proc/modules hides a sniffer hides files hides processes redirects execve() socket backdoor magic setuid gets root Bypassing HIDS Stack Protection • Stackguard –A „canary‟ is placed next to return address – Program halts and logs if canary is altered – Canary can be random or terminating – Bypass: overwrite return address without touching canary – Fix: XOR the return address and the canary – Point: Yet another example of an arms race Bypassing HIDS Library Hacks • Environment variables which redirect shared library locations • Library has a „wrapper‟ run by a p。