Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pattern Matching in encoded Shellcode

From: "felix.matenaar@rwth-aachen" <felix.matenaar () rwth-aachen de>
Date: Sat, 24 Apr 2010 13:07:55 +0200
I ve not tested it but i could imagine that shellcode detection would
have some advantages instead of exploitation detection. In exploitation
detection you have to know the exploit. Shellcode detection requires to
know the shellcode or the method used by it. But exploits are a lot more
individual than shellcode (correct me if I m wrong). That would mean
that shellcode detection could be used to detect 0-days in case that
known shellcode or shellcode-techniques are used in a performant manner.


Jason Brvenik wrote:


My point is that the shellcode is irrelevant when you detect
exploitation of the vuln. Simple case would be detecting >20 bytes
passed to a 20 byte buffer.

I can think of some cases where you would end up with split vectors,
payloads sent apart from exploitation, but none of them would require
shellcode deection if you detect >20 bytes passed to a 20 byte buffer.

I was looking for a use case outside exploitation where it would have
applicability. EG: vuln in unescape itself types if things.

The VRT NRT release would have direct applicability in those use cases
for file formats at least.



------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: