Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Alerts > SecureKnowledge Details
Support Center
 Print    Email
Check Point Response to Stonesoft IPS Evasion Techniques published on June 14, 2011

Solution ID: sk63621
Severity: Medium
Product: IPS
Version: R75, R71, R70
Platform / Model: All
Date Created: 14-Jun-2011
Last Modified: 05-Jul-2011
Rate this document
[1=Worst,5=Best]
Symptoms
  • Stonesoft Corporation reported a number of techniques for evading the IPS/IDS detection. This publication should not be confused with Stonesoft "Advanced Evasion Techniques" advisory (CVE-2010-0102) discussed in sk59468.
  • Check Point has verified that all versions of the Check Point IPS blade properly block and report on these evasion techniques. Read the "Solution" section for details.
Cause

Stonesoft evasion techniques use a combination of TCP segmentation and MS-RPC fragmentation as well as manipulation of TCP widow size and conjestion control. For details refer to CERT-FI advisory.


Solution

No IPS update or patches are required.

Customers that use the recommended IPS profile in prevention mode are protected.
Customers that do not use the recommended profile, should verify that "MS-RPC over CIFS Fragmentation" protection in IPS is enabled.


Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000