IDS mailing list archives
Re: Polymorphic Shellcode detection
From: sam stover <sstover () enterasys com>
Date: Fri, 09 May 2003 08:30:46 -0400
OK, vendor vs. vendor alert here. I'm trying real hard not to act like another vendor and more like a potential customer, but obviously that's hard for me. I'd like to explain how I read this e-mail: One way to do overflow detection is to search for syscall instructions. Snort does this and it doesn't work real well (potentially valid reasons in original e-mail). Another way is to check for the number of binary bytes. ISS does this and it's obsolete for some other (potentially valid) reasons. Some dude from academia invented a way, but it's too slow. The only real way to do it is by "sophisticated application anomaly". This is the best way and Intruvert does it on all their platforms. Now, you've given fairly technical reasons why everyone else's approach is invalid or obsolete, but you've neglected to provide the technical backup to why your approach is the best. Now you do say that it's been validated by third parties, but you don't explain WHY your technology is the best. We are just expected to take your word for it I guess... If I was a potential customer, I guess I'd ask: What is "sophisticated application anomaly"? Could you please elucidate? -- Samuel f. Stover sstover () enterasys com ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
- RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- Re: Polymorphic Shellcode detection Robert Graham (May 12)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)