| To: | "Joseph McCray" <joe@learnsecurityonline.com>, pen-test@securityfocus.com |
|---|---|
| Subject: | Re: IDS Assessments....and the I{D|P}S evasion research project |
| From: | "Eric Hacker" <my.self@erichacker.com> |
| Date: | Fri, 17 Nov 2006 09:01:27 -0500 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| Domainkey-signature: | a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=RPH211nPs2y+aJpnLVvuWTomvto4WoYLjE7DPD6sIWzfhAI/5f4hibZv3WZ4SeLbXwZzO90yR2S+dKPukBCJLsyG57GGMzmOt0IR9jHD9PhairqmReVyMoeEVa7jm+tiD0ai2zMBF5yDSZw/FdI4wNeXNqvhsOZ/h+GSN+YvdH4= |
| In-reply-to: | <20061116195151.GC11104@grey-havens.net> |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| References: | <1163625740.4230.66.camel@Linux> <20061116195151.GC11104@grey-havens.net> |
| Resent-date: | Fri, 17 Nov 2006 09:11:34 -0700 (MST) |
| Resent-from: | pen-test-return-1078482998@securityfocus.com |
| Resent-message-id: | <20061117161134.1FB22237283@outgoing3.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
| Sender: | ericwhacker@gmail.com |
To help us automate the correlation, we bound each individual test case to a unique source port, and included the source port in the file name. (Well, we used N for 9, because the exploit couldn't write a 9, but you get the idea). So that way we knew that for a given suite of tests, source port 30000 was test X. Even if you can't do the rest of it, keying each test case to a source port is an enormous help in correlation. Yes, correlation is important and a very good idea. I forgot about that. Wherever possible use things like source port, IP ID, TCP seq numbers, etc. to discriminate attacks and allow easier correlation. I've set the IP ID field to the Snort ID in some testing. Even though it didn't end up being used for correlation in the end, it helps in debugging when reading packet traces. -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Apache Tomcat penetration test, a007 |
|---|---|
| Next by Date: | Re: Apache Tomcat penetration test, Danux |
| Previous by Thread: | Re: IDS Assessments....and the I{D|P}S evasion research project, Sam Gorton |
| Next by Thread: | Re: IDS Assessments....and the I{D|P}S evasion research project, Eric Hacker |
| Indexes: | [Date] [Thread] [Top] [All Lists] |