Firewall Wizards mailing list archives
RE: Efficiently detecting obfuscated shell code
From: "Eugene Kuznetsov" <eugene () datapower com>
Date: Wed, 4 Feb 2004 15:13:34 -0500
little real discussion on it. Question being; is it possible to reliably detect an obfuscated egg? Many of the ids
I don't think so, either theoretically or practically. The problem is that when doing "application security" the way it is done today, you are relying on heuristics and past attack signatures (necessarily reactive). It requires knowing what *invalid* RPC or web-cgi traffic looks like, which in turn requires a lot of extra configuration. All the information about what's valid is buried inside the app, and has to be manually re-created as configuration in the IDS. \\ Eugene Kuznetsov, Chairman & CTO : eugene () datapower com \\ DataPower Technology, Inc. : XS40 XML Security Gateway \\ http://www.datapower.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Paul Robertson (Feb 04)
- Re: Efficiently detecting obfuscated shell code Joseph S D Yao (Feb 04)
- RE: Efficiently detecting obfuscated shell code Eugene Kuznetsov (Feb 04)
- <Possible follow-ups>
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)
- Re: Efficiently detecting obfuscated shell code Don Parker (Feb 04)