ids_bypass - Intrussion Detection System Bypass tricks.

ids_bypass – Intrussion Detection System Bypass tricks.

Disclaimer: These programs is for Educational purpose ONLY. Do not use it without permission.

* inject_server: Proof-Of-Concept for CVE-2018-6794.
If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the client but some IDS engines may skip content checks on that.

Suricata IDS < 4.0.4 is prone to this issue: HTTP or Stream-TCP signatures will not alert on the injected content. We do not see any alerts on an evil http response data if we apply the following signatures against PoC network traffic

* rst_server: Proof-Of-Concept for IDS bypass.
Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet. Some IDSes process this correctly and try to match data after RST but some stops inpecting TCP stream after RST was received.

Suricata IDS is still prone to this issue: HTTP or Stream-TCP signatures will not alert on this TCP session.


* icmp_server: Proof-Of-Concept for IDS bypass.
Server should reply with ICMP message type “Destination Unreachable” code “Port Unreachable” if a UDP packet was sent to a closed UDP port. IDS may interpret ICMP Unreachable answers on the same way as TCP RST packets and stop or limit traffic inspection of this UDP stream. If a normal UDP answer follows the ICMP message then attacker bypasses UDP checks of traffic from his server. Note that normal clients close connections if ICMP Dest. Unreachable was received so we interchange IP addresses and UDP ports in ICMP message’s attached UDP so client does not accept such ICMP message but IDS does.

Suricata IDS < 3.1.2 is prone to this issue: UDP signatures will not match on packets from Evil Server.


This techniques may be applied for other Intrusion Detection or Network Monitoring tools and systems.

Use and Download: