Irregular Expressions

Nov 4 2010   11:46PM GMT

SonicWall IPS evasion

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Well this did work a few weeks ago.

http://software.sonicwall.com/applications/ips/index.asp?ev=sig&sigid=5860

Until a week or so ago, someone could use an IPS evasion module in Metasploit to pass attacks through a SonicWall.  This involved using DCE / RPC Fragmentation which fragments the packets during the NetBIOS session setup.

This has been known since at least 2006 ish when Snort implemented a dynamic pre-processor to handle this in it’s engine.  Several other UTM’s have the ability to detect this type of traffic, most of them based on the Snort pre-processor.

Last week I was successfully getting the ms10_061 passed the SonicWalls IPS engine and AV engine using the fragmentation.  I did not specifically chose the ms10_061, but it was in the list of top 10 blocked attacks on the dashboard.

Ta-Da!

It worked.

Turn off the Frag,

Nothing

On

Right through like Jim Morrison.

I reported the issue to SonicWall and after a some debate there is a new signature.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: