Snort mailing list archives
Re: Pattern Matching in encoded Shellcode
From: Matt Olney <molney () sourcefire com>
Date: Sat, 24 Apr 2010 13:52:01 +0200
We are certainly doing research in both. Check the preso at labs.snort.org/nrt for an example of our research in that area. Handling multi-byte XORing is challenging at linedpeed, but with a bit of time on the side it's doable. Sent from my iPhone On Apr 24, 2010, at 1:07 PM, "felix.matenaar@rwth-aachen" <felix.matenaar () rwth-aachen de
wrote:
I ve not tested it but i could imagine that shellcode detection would have some advantages instead of exploitation detection. In exploitation detection you have to know the exploit. Shellcode detection requires to know the shellcode or the method used by it. But exploits are a lot more individual than shellcode (correct me if I m wrong). That would mean that shellcode detection could be used to detect 0-days in case that known shellcode or shellcode-techniques are used in a performant manner. Jason Brvenik wrote:My point is that the shellcode is irrelevant when you detect exploitation of the vuln. Simple case would be detecting >20 bytes passed to a 20 byte buffer. I can think of some cases where you would end up with split vectors, payloads sent apart from exploitation, but none of them would require shellcode deection if you detect >20 bytes passed to a 20 byte buffer. I was looking for a use case outside exploitation where it would have applicability. EG: vuln in unescape itself types if things. The VRT NRT release would have direct applicability in those use cases for file formats at least.--- --- --- --------------------------------------------------------------------- _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 24)
- Re: Pattern Matching in encoded Shellcode Matt Olney (Apr 24)
- Re: Pattern Matching in encoded Shellcode felix.matenaar@rwth-aachen (Apr 23)
- Message not available