Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What to do with malicius encrypted code!??i

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 03 Feb 2004 17:07:56 -0500
At 02:52 PM 2/2/2004, soldier Mx wrote:

i think so,
if somebody send malicious code encrypted, like the
exploits or something, the IDS are useless!,
what do u think, or what to do against that. !?
Well, just because the malicious payload is encrypted does not make an IDS useless.
Fundamentally they need to be using _some_ mechanism to get the code executed in the first place... and overflow or some other exploit.
Here you're looking for signs of attack before the code is delivered.. and many snort sigs work this way (although I'd argue some snort sigs are incorrectly written and are exclusive to a particular proof-of-concept code, this isn't the general case). 





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: