Packet inspection is the process of examining a network packet to see if it meets certain rules. A firewall will inspect packets to see if they should be permitted or denied. An intrusion detection system will inspect packets for unusual behavior or malicious payloads, and then log what it observes. Depending on the product, the inspection can be:
- Signature-based, comparing the packet and its payload to known malicious signatures.
- Anomaly-based, first capturing a baseline of normal traffic and then looking for deviations.
The pen tester will want to evade detection by packet inspectors. This can be done in a number of ways, including:
- Encrypting the packet or payload.
- Using as-yet unknown signatures or unrecognized crafted packets.
- Scanning very slowly so as not to indicate a pattern of malicious traffic.
- Spoofing by using trusted source ports or addresses.