RE: Efficiently detecting obfuscated shell code

["Eugene Kuznetsov" <eugene () datapower com>]

> little real discussion on it. Question being; is it possible 
> to reliably detect an obfuscated egg? Many of the ids 

I don't think so, either theoretically or practically. 

The problem is that when doing "application security" the way it is done
today, you are relying on heuristics and past attack signatures
(necessarily reactive). It requires knowing what *invalid* RPC or
web-cgi traffic looks like, which in turn requires a lot of extra
configuration. 

All the information about what's valid is buried inside the app, and has
to be manually re-created as configuration in the IDS. 


\\ Eugene Kuznetsov, Chairman & CTO  : eugene () datapower com
\\ DataPower Technology, Inc.        : XS40 XML Security Gateway
\\ http://www.datapower.com 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards