Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

[Charles 'core' Stevenson <core () bokeoa com>]

The code is interesting and pretty nice except that it detects just
about anything as shellcode. Even the last e-mail I sent out to you and
forgot to CC to the list. ;-)

IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25
Dumping data:
Message-ID: <3C52F9DA.451181D7 () bokeoa co
m>..Date: Sat, 26 Jan 2002 11:47:54 -070
0..From: Charles 'core' Stevenson <core@
bokeoa.com>..Reply-To: core () bokeoa com..
X-Mailer: Mozilla 4.7 [en] (X11; I; Linu
x 2.4.15-pre4 ppc)..X-Accept-Language: e
n..MIME-Version: 1.0..To: Robert Flicker
 <robert_flicker () hotmail com>..Subject: 
Re: [NGSEC] Whitepaper Released: Polymor
phic shellcodes vs. .. ApplicationIDSs..
References: <F153nHxRKYblf8nFJ3V0001881d
@hotmail.com>..Content-Type: text/plain;
 charset=us-ascii..Content-Transfer-Enco
ding: 7bit....But it also detected the l
ast e-mail I sent as shellcode.....Haha.
.....peace,..core....Robert Flicker wrot
e:..> ..> Hi charles:..> ..> Have you te
sted the sourcecode that comes with the 
paper:..> ..> http://www.ngsec.com/downl
oads/misc/NIDSfindshellcode.tgz..> ..> A
s far as i know is the first public code
 that does this stuff...> It may be not 
hot-news but i think it worth the downlo
ad, and is a better..> solution for curr
ent IDS than your exoteric thoughts with
 Neuronal Networks..> and distributed si
gnature checking... INMHO uimplementable
 in current IDS..> technologies...> ..> 
Quoting from www.snort.org:..> ..> "Pape
r: Polymorphicisms be gone..> .....> His
 ideas revolve around counting multiple 
NOP type operations in a row and..> aler
ting when a threshold is reached. The id
ea has been kicked around for a..> while
, but this is the first one that I have 
seen in actual implementation...> .....>
 "..> ..> Current snort branch and its t
echnique to detect shellcode is very eas
y..> foolable ;P... NIDSfindshellcode is
 also foolable but in a harder way...> .
.> Robert Flicker..> ..> _______________
________________________________________
__________..> Join the world?s largest e
-mail service with MSN Hotmail...> http:
//www.hotmail.com.....

Best Regards,
Charles Stevenson

Robert Flicker wrote:
> Hi charles:
>
> Have you tested the sourcecode that comes with the paper:
>
> http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz
>
> As far as i know is the first public code that does this stuff.
> It may be not hot-news but i think it worth the download, and is a better
> solution for current IDS than your exoteric thoughts with Neuronal Networks
> and distributed signature checking... INMHO uimplementable in current IDS
> technologies.
>
> Quoting from www.snort.org:
>
> "Paper: Polymorphicisms be gone
> ...
> His ideas revolve around counting multiple NOP type operations in a row and
> alerting when a threshold is reached. The idea has been kicked around for a
> while, but this is the first one that I have seen in actual implementation.
> ...
> "
>
> Current snort branch and its technique to detect shellcode is very easy
> foolable ;P... NIDSfindshellcode is also foolable but in a harder way.
>
> Robert Flicker
>
> _________________________________________________________________
> Join the world?s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com