Snort mailing list archives
Re: What to do with malicius encrypted code!??i
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 03 Feb 2004 17:07:56 -0500
At 02:52 PM 2/2/2004, soldier Mx wrote:
i think so, if somebody send malicious code encrypted, like the exploits or something, the IDS are useless!, what do u think, or what to do against that. !?
Well, just because the malicious payload is encrypted does not make an IDS useless.
Fundamentally they need to be using _some_ mechanism to get the code executed in the first place... and overflow or some other exploit.
Here you're looking for signs of attack before the code is delivered.. and many snort sigs work this way (although I'd argue some snort sigs are incorrectly written and are exclusive to a particular proof-of-concept code, this isn't the general case).
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What to do with malicius encrypted code!??i soldier Mx (Feb 02)
- Re: What to do with malicius encrypted code!??i Matt Kettler (Feb 03)