jess LAND
        Sponsored by:       
One eSecurity
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > IDS IPS > Network > Evasion IDS_IPS Section Map

IDS / IPS Evasion

Content Leader: Jess Garcia - Last Updated: January 4, 2007

Evasion Techniques

  • String Matching
    • This technique relies on modifying a string in a way that the IDS / IPS signature will not match but the remote system will interpret it correctly (e.g. /etc/passwd -> /etc/.././passwd or /etc//.//passwd).
  • Fragmentation
    • Fragmentation Overlap
      • Overlapping Fragments reassembly techniques vary in different operating systems. If the IDS/IPS is not aware of the target OS and reassembles the fragments in the same way, evasion is possible.
    • Fragmentation Overwrite
    • Fragmentation Timeout
  • TTL (Time To Live)
    • If the IDS / IPS is not sitting in the same network segment as the target system, it is possible to insert packets in the IDS / IPS which will not get to the final host.
  • Encrypted Traffic
    • Most IDS / IPS cannot inspect encrypted traffic (HTTPS, SSH, IPSec, etc.).
  • Session Splicing
    • Session splicing divides the string across several packets. IDS / IPS can handle these attacks through session reconstruction, but as this is CPU/Memory intensive they will typically timeout earlier than the target server.
  • Signatures that use \s and \S in their regular expressions.
    • "Not every text-based service treats the same byte set as "whitespace". The \s match often includes characters that things like FTP and SMTP servers don't consider white-space. Unless the IDS product is aware of how every vendor handles whitespace (and knows what target IP and service is what vendor), there is a good chance that any signature containing \s or \S is evadeable." HD Moore
  • 0x09, 0x0b, 0x0c, 0x0d, and 0x20 as HTTP fields separators
    • "HTTP protocol parsers that don't consider all of 0x09, 0x0b, 0x0c, 0x0d, and 0x20 to be valid whitespace for separating HTTP fields are evadable when the target application is hosted on Apache on uses an Apache-based reverse proxy. If the IDS does treat all of these characters as whitespace, the signatures may still be evadable when a non-Apache server is being targeted." HD Moore


  • Fragrouter - Program for routing network traffic in such a way as to elude most network intrusion detection systems.
  • FTester - Tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities. FTester can also use common IDS evasion techniques.


Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.