A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Rob Ragan - Filter Evasion - Houdini on the Wire from Outerz0ne 5 (Hacking Illustrated Series InfoSec Tutorial Videos)

Rob Ragan - Filter Evasion - Houdini on the Wire from Outerz0ne 5

    Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated.

    Bio: Background: While performing a pentest on a fortune 50 company I got caught. My IP address was subsequently blocked. It was apparent that I was causing way too much noise and they had triggered a network security filter that blocked me. I came up with this presentation idea after implementing the evasion techniques found here in a proxy application. I quickly realized none of them work anymore on modern IDS. After some experimentation I eventually found something that would let me sneak nearly any type of web attack past Snort. More details on the attack can be found in my outline. I'm currently working on a tool that will allow anyone to test their IDS/IPS for this vulnerability.

Related Links:

Download AVI from:

Streaming Flash:

Special thanks to Scott and Brandon Moulton for the AV work, and SkyDog for letting me rip the videos.

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast