Vulnerability Development mailing list archives
Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs
From: Charles 'core' Stevenson <core () bokeoa com>
Date: Sat, 26 Jan 2002 11:53:36 -0700
The code is interesting and pretty nice except that it detects just about anything as shellcode. Even the last e-mail I sent out to you and forgot to CC to the list. ;-) IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25 Dumping data: Message-ID: <3C52F9DA.451181D7 () bokeoa co m>..Date: Sat, 26 Jan 2002 11:47:54 -070 0..From: Charles 'core' Stevenson <core@ bokeoa.com>..Reply-To: core () bokeoa com.. X-Mailer: Mozilla 4.7 [en] (X11; I; Linu x 2.4.15-pre4 ppc)..X-Accept-Language: e n..MIME-Version: 1.0..To: Robert Flicker <robert_flicker () hotmail com>..Subject: Re: [NGSEC] Whitepaper Released: Polymor phic shellcodes vs. .. ApplicationIDSs.. References: <F153nHxRKYblf8nFJ3V0001881d @hotmail.com>..Content-Type: text/plain; charset=us-ascii..Content-Transfer-Enco ding: 7bit....But it also detected the l ast e-mail I sent as shellcode.....Haha. .....peace,..core....Robert Flicker wrot e:..> ..> Hi charles:..> ..> Have you te sted the sourcecode that comes with the paper:..> ..> http://www.ngsec.com/downl oads/misc/NIDSfindshellcode.tgz..> ..> A s far as i know is the first public code that does this stuff...> It may be not hot-news but i think it worth the downlo ad, and is a better..> solution for curr ent IDS than your exoteric thoughts with Neuronal Networks..> and distributed si gnature checking... INMHO uimplementable in current IDS..> technologies...> ..> Quoting from www.snort.org:..> ..> "Pape r: Polymorphicisms be gone..> .....> His ideas revolve around counting multiple NOP type operations in a row and..> aler ting when a threshold is reached. The id ea has been kicked around for a..> while , but this is the first one that I have seen in actual implementation...> .....> "..> ..> Current snort branch and its t echnique to detect shellcode is very eas y..> foolable ;P... NIDSfindshellcode is also foolable but in a harder way...> . .> Robert Flicker..> ..> _______________ ________________________________________ __________..> Join the world?s largest e -mail service with MSN Hotmail...> http: //www.hotmail.com..... Best Regards, Charles Stevenson Robert Flicker wrote:
Hi charles: Have you tested the sourcecode that comes with the paper: http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz As far as i know is the first public code that does this stuff. It may be not hot-news but i think it worth the download, and is a better solution for current IDS than your exoteric thoughts with Neuronal Networks and distributed signature checking... INMHO uimplementable in current IDS technologies. Quoting from www.snort.org: "Paper: Polymorphicisms be gone ... His ideas revolve around counting multiple NOP type operations in a row and alerting when a threshold is reached. The idea has been kicked around for a while, but this is the first one that I have seen in actual implementation. ... " Current snort branch and its technique to detect shellcode is very easy foolable ;P... NIDSfindshellcode is also foolable but in a harder way. Robert Flicker _________________________________________________________________ Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com
Current thread:
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Mike Murray (Jan 26)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Pavel Kankovsky (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs.ApplicationIDSs Gerardo Richarte (Jan 28)
- <Possible follow-ups>
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Robert Flicker (Jan 27)
- Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs Charles 'core' Stevenson (Jan 26)