Firewall Wizards mailing list archives
Re: Efficiently detecting obfuscated shell code
From: "Don Parker" <dparker () rigelksecurity com>
Date: Wed, 4 Feb 2004 14:01:20 -0500 (EST)
Hi Joseph, undoubtedly, heuristics is the name of the game when it comes to detecting this stuff. Some of the stuff out there is pretty good indeed, but with so many variants possible is it truly effective >>99% of the time? I would say not myself. this is where the human interface has to be top-notch or at least educated in this area. The gear is an excellent starting point, but the human eye needs to be educated as well. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 4 , Joseph S D Yao <jsdy () center osis gov> wrote: On Wed, Feb 04, 2004 at 11:39:16AM -0500, Don Parker wrote:
Hey guys/gals, I have been sending this question around some of the lists, and have
had
little real discussion on it. Question being; is it possible to reliably detect an obfuscated egg? Many of the ids signatures I have seen are a little loose, and always
go
for the nop sled with some port matching.
... Hi, Don. Question being: define "reliably". ;-) If you mean 100%, then IIRC certain famous mathematicians who were actually true "computer scientists" proved that it was not possible to always determine the output of a program, which is equivalent to determining whether a sequence of bytes is in fact intended to be a program with some kind of specific goal in mind. If you mean "pretty reliably", e.g., >> 99%, then it's a matter of throwing heuristics with very low false negatives at the problem faster than the bad guys can beat them. Because [see above] they will always be able to. -- Joe Yao jsdy () center osis gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Paul Robertson (Feb 04)
- Re: Efficiently detecting obfuscated shell code Joseph S D Yao (Feb 04)
- RE: Efficiently detecting obfuscated shell code Eugene Kuznetsov (Feb 04)
- <Possible follow-ups>
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)