Friday, November 23, 2007

TCP/IP Pervesion

I came across this blog post from Tyler Reguly about TCP/IP Pervesion that presented by Rares Stefan at Sector 2007. I can't find any presentation slide that are publicly available so I don't really know much about it but it looks very interesting to me because it might be giving hard time to NSM as it offers the false sense of data(This is more than evasion and now this is really unpredictable). I maybe kidding but you can check out the post here -

Someone mind to enlighten me about this?

Thanks to Tyler Reguly for summarizing the presentation and post it up. I'm pretty eager to know more about it.

Cheers ;]


Tyler Reguly said...


The slides will eventually be posted @ I believe that the conference organizers said it would take them about a week or so to get everything together, so start looking the middle of next week. As soon as the presentations are posted, I will link to them in my block posts.


bamm said...

I think it's the HIDS/HIPS guys that need to worry. From an NSM perspective, you'll see the correct data passing by the sensor, since an NSM seneor wouldn't be using the modified NIC driver to collect packets. This is actually one of the reasons I tend to rely on NSM versus host based systems. Once a host is compromised, you can't trust the data you get from it, so from a HIDS/HIPS perspective, you have to hope you catch the malicious activity that lead up to the installation of the modified driver.