Irregular Expressions

Nov 4 2010   11:46PM GMT

SonicWall IPS evasion

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Well this did work a few weeks ago.

http://software.sonicwall.com/applications/ips/index.asp?ev=sig&sigid=5860

Until a week or so ago, someone could use an IPS evasion module in Metasploit to pass attacks through a SonicWall.  This involved using DCE / RPC Fragmentation which fragments the packets during the NetBIOS session setup.

This has been known since at least 2006 ish when Snort implemented a dynamic pre-processor to handle this in it’s engine.  Several other UTM’s have the ability to detect this type of traffic, most of them based on the Snort pre-processor.

Last week I was successfully getting the ms10_061 passed the SonicWalls IPS engine and AV engine using the fragmentation.  I did not specifically chose the ms10_061, but it was in the list of top 10 blocked attacks on the dashboard.

Ta-Da!

It worked.

Turn off the Frag,

Nothing

On

Right through like Jim Morrison.

I reported the issue to SonicWall and after a some debate there is a new signature.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: