Re: Polymorphic Shellcode detection

["David Barroso" <dbarroso () s21sec com>]

> Hi,
> i wanted to find if the present ids'es are able to detect
> ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had
> just gone through K2's article and at that time he claims that ISS
> was not able to detect the method which he has given.
> What about the other IDS vendors? Have they been able to detect
> such exploits? Can anyone throw some light on how the detection
> mechanism might work??

The fnord prepocessor (was included in snort) says:
This has proven to be substantially better than the snort experimental
NOP signatures with fewer falses, and consumes very little CPU in testing on
a
loaded DS3.  Beta testing has caught some new attacks using this detector
and
shown that turned up to high sensitivity levels it functions as a good lycos
cookie,  nntp, and streaming media detector too :-).

It should detect any ordinary shellcode that has NOP sleds even it it is not
polymorphically mutated, as well as codes mutated with K2's ADMmutate.
________________________________________________
Grupo S21Sec Gestión S.A.


-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------