IDS mailing list archives
Re: Polymorphic Shellcode detection
From: Randy Taylor <gnu () charm net>
Date: Tue, 06 May 2003 17:26:13 -0400
At 11:23 AM 5/6/2003 +0000, ub wrote:
Hi,i wanted to find if the present ids'es are able to detect ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had just gone through K2's article and at that time he claims that ISS was not able to detect the method which he has given. What about the other IDS vendors? Have they been able to detect such exploits? Can anyone throw some light on how the detection mechanism might work??thanks, ub
I think Gary Golomb did some work on this for Dragon "back in the day." My memory's a bit fuzzy now, but I seem to recall that Dragon detects ADMmutate... Hope I'm right and my memory is somewhat accurate. Apologies in advance if I misspoke or misattributed the work or just plain got it wrong. Randy ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attackoccurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false
positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
- RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- Re: Polymorphic Shellcode detection Robert Graham (May 12)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)