Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

["Robert Flicker" <robert_flicker () hotmail com>]

Hello Charles:

Maybe thats why paper's title said "Application IDS" not "Network IDS". I do 
not know why proof of technique is a NIDS (maybe is a more straight forward 
test rather than to test it on an application).

It also said in paper, that in order to implement this code in your 
Application IDS, you should set NOP_NUMBER to a value that fits your 
application and input data.

Probably it isn't the ultimate solution for polymorphic shellcode 
regognition but is a better solution rather than high bit recognition 
technique of secureiis of eeye.

Focusing on web server application IDS, i only know of eeye's secureiis 
(www.eeye.com) and ngsec's ngsecureweb (www.ngsec.com). I did the following 
test:

Under two diferent platforms: MS W2k IIS 5.0 and Linux Apache 1.3.23
I set up a common php and asp for uploading webpages and images. And 
uploaded 10 random 10k images/html with POST Method.

Results:
- ngsecureweb: raised no shellcode recognition alarm.
- secureiis: raised two alarms.

Fond Regards.
.RF

> From: Charles 'core' Stevenson <core () bokeoa com>
> Reply-To: core () bokeoa com
> To: Robert Flicker <robert_flicker () hotmail com>
> Subject: Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. 
> ApplicationIDSs
> Date: Sat, 26 Jan 2002 11:47:13 -0700
>
> Robert,
>
> I missed the code. It's very nice. I just expected to see more detail in
> the Whitepaper.
>
> (echo "GET ";./test 0)|nc localhost 80 <-- detected
> (echo "GET ";./execve)|nc localhost 80 <-- linux/ppc execve not detected
>
> Let's try some variations and see... perhaps if I give 200 nops.
>
> (echo "GET ";perl -e 'print "\x60"x200';./execve)|nc localhost 80 <--
> detected although not correctly but no matter
>
> NIDS_shellcode v0.1 by Fermín J. Serna <fjserna () ngsec com>
> Next Generation Security Technologies
> http://www.ngsec.com
>
> IA32 shellcode found: Protocol TCP 127.0.0.1:57102 -> 127.0.0.1:80
> Dumping data:
> GET .B/].@XOTW.DK.J..'7G.D_/...KE]VH.^XP
> .^D@T.HG7DRRFJ_.BA () XH S IEG...OP_YJ.[.IM
> A....FZO.RU?N?]H'.EOB.CVW[T.XSA7.].CJJSA
> JMN7/].GTZ..UP....`.HL].'.XP.WKFH@7HEE..
> .WZJV.O.L.KY..FZIXTP].Z..`L7E[.BQUEE.PYS
> AG.TLLQYRDVV.K]G.]L]Q.TC......W`.7M/.X7L
> .7.ONCEVBS_HK.]RUR^X.
>
> IA32 shellcode found: Protocol TCP 127.0.0.1:57107 -> 127.0.0.1:80
> Dumping data:
> ````````````````````````````````````````
> ````````````````````````````````````````
> ````````````````````````````````````````
> ````````````````````````````````````````
> ````````````````````````````````````````
> |.*x@.......;..08....a......8...;..`...p
> D.../bin/sh
>
>
> Best Regards,
> Charles Stevenson
>
> Robert Flicker wrote:
> > Have you tested the sourcecode that comes with the paper:
> >
> > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz
> >
> > As far as i know is the first public code that does this stuff.
> > It may be not hot-news but i think it worth the download, and is a 
> better
> > solution for current IDS than your exoteric thoughts with Neuronal 
> Networks
> > and distributed signature checking... INMHO uimplementable in current 
> IDS
> > technologies.
> >
> > Quoting from www.snort.org:
> >
> > "Paper: Polymorphicisms be gone
> > ...
> > His ideas revolve around counting multiple NOP type operations in a row 
> and
> > alerting when a threshold is reached. The idea has been kicked around 
> for a
> > while, but this is the first one that I have seen in actual 
> implementation.
> > ...
> > "
> >
> > Current snort branch and its technique to detect shellcode is very easy
> > foolable ;P... NIDSfindshellcode is also foolable but in a harder way.
> >
> > Robert Flicker
> >
> > _________________________________________________________________
> > Join the world?s largest e-mail service with MSN Hotmail.
> > http://www.hotmail.com


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com