| |
| F
Tests - Evasion |
|
|
|
| Test F1 |
Basic
IP Fragmentation (ordered 8-byte) [fragrouter F1] |
Pass |
| Test F2 |
Basic
IP Fragmentation (ordered 24-byte) [fragrouter F2] |
Pass |
| Test F3 |
"Complex
IP Fragmentation (ordered 8-byte IP fragments, one out of order)
[fragrouter F3]" |
Pass |
| Test F4 |
"Complex
IP Fragmentation (ordered 8-byte IP fragments, one duplicate)
[fragrouter F4]" |
Pass |
| Test F5 |
"Complex
IP Fragmentation (out of order 8-byte fragments, one duplicate)
[fragrouter F5]" |
Pass |
| Test F6 |
"Complex
IP Fragmentation (ordered 8-byte fragments, marked last frag
first) [fragrouter F6]" |
Pass |
| Test F7 |
"Basic
TCP segmentation (3-whs, ordered 1-byte segments, one out of
order) [fragrouter T8]" |
Pass |
| Test F8 |
"Complex
TCP Segmentation (3-whs, bad TCP checksum FIN/RST, ordered 1-byte
segments) [fragrouter T1]" |
Pass |
| Test F9 |
"Complex
TCP Segmentation (3-whs, ordered 1-byte segments, one duplicate)
[fragrouter T3]" |
Pass |
| Test F10 |
"Complex
TCP Segmentation (3-whs, ordered 1-byte segments, one overwriting)
[fragrouter T4]" |
Pass |
| Test F11 |
"Complex
TCP Segmentation (3-whs, ordered 2-byte segments, fwd-overwriting)
[fragrouter T5]" |
Pass |
| Test F12 |
"Complex
TCP Segmentation (3-whs, ordered 1-byte segments, interleaved
null segments) [fragrouter T7]" |
Pass |
| Test F13 |
"Complex
TCP Segmentation (3-whs, out of order 1-byte segments) [fragrouter
T9]" |
Pass |
| Test F14 |
"Complex
TCP Segmentation (3-whs, ordered 1-byte segments, interleaved
SYN) [fragrouter C2]" |
Pass |
| Test F15 |
"Complex
TCP Segmentation (ordered 1-byte null segments, 3-whs, ordered
1-byte segments) [fragrouter C3]" |
Pass |
| Test F16 |
"Complex
TCP Segmentation (3-whs, RST, 3-whs, ordered 1-byte segments)
[fragrouter R1]" |
Pass |
| Test F17 |
"Delayed
injection @ 100,000 sessions" |
Pass |
| Test
F18 |
"Delayed
injection @ 250,000 sessions" |
N/A [1]
|
| Test F19 |
"Delayed
injection @ 500,000 sessions" |
N/A [2]
|
| Test F20 |
HTTP
obfuscation (hex encoding) |
Pass |
| Test F21 |
HTTP
obfuscation (double hex encoding) |
Pass |
| Test F22 |
HTTP
obfuscation (Unicode / UTF-8) |
Pass |
| Test F23 |
HTTP
obfuscation (self-referential directories) [whisker -I 2] |
Pass |
| Test F24 |
HTTP
obfuscation (premature URL ending) [whisker -I 3] |
Pass
(Identified as HTTP:REQERR:REQ-MALFORMED-URL and HTTP:IIS:HDR-EVASION) |
| Test F25 |
HTTP
obfuscation (prepend long string) [whisker -I 4] |
Pass |
| Test F26 |
HTTP
obfuscation (fake URL parameter) [whisker -I 5] |
Pass |
| Test F27 |
HTTP
obfuscation (case sensitivity) [whisker -I 7] |
Pass |
| Test F28 |
HTTP
obfuscation (Windows directory syntax) [whisker -I 8] |
Pass |
| Test F29 |
HTTP
obfuscation (session splicing) [whisker -I 9] |
Pass |
| Test F30 |
HTTP
obfuscation (connection reuse) |
Pass |
| Test F31 |
HTTP
obfuscation (version 0.9) |
Pass |
| Test F32 |
HTTP
obfuscation (version 1.0) |
Pass |
| Test F33 |
HTTP
obfuscation (version 1.1) |
Pass |
| |
|
|
| |
[1]
The IDP100 is a 100Mbps sensor. NIDS claiming to exceed full-duplex
fast ethernet speeds should be able to handle a 250,000 session
table roll
without missing the attack. |
|
| |
[2]
The IDP100 is a 100Mbps sensor. NIDS claiming gig speeds or
greater
should be able to handle a 500,000 session table roll without
missing the
attack. |
|
| |
