IDS mailing list archives
Re: Polymorphic Shellcode detection
From: Krzysztof Zaraska <kzaraska () student uci agh edu pl>
Date: Tue, 6 May 2003 23:41:38 +0200
On 6 May 2003 11:23:40 -0000 "ulfabodo" <ulfabodo () rediffmail com> wrote:
Hi, i wanted to find if the present ids'es are able to detect ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had just gone through K2's article and at that time he claims that ISS was not able to detect the method which he has given. What about the other IDS vendors? Have they been able to detect such exploits?
Prelude NIDS 0.8.0 and later include ShellCode plugin that should detect polymorphic shellcodes.
Can anyone throw some light on how the detection mechanism might work??
Take a look at: http://www.ngsec.com/docs/whitepapers/polymorphic_shellcodes_vs_app_IDSs.PDF AFAIK Prelude's implementation is not documented (well, you have the source ;)), but IIRC works around the same concept (counting NOP-equivalent instructions in a single string and alerting once threshold is exceeded). Regards, Krzysztof -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem
Attachment:
_bin
Description:
Current thread:
- Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
- RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- Re: Polymorphic Shellcode detection Robert Graham (May 12)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)