RE: about shell code(expoit code) detector...
From: Petruzel, Oliver (OliverP@aegisresearch.com)Date: 08/17/01
- Previous message: Ian Sharkey: "Re: about shell code(expoit code) detector..."
- Maybe in reply to: Chowalit Hody: "about shell code(expoit code) detector..."
- Next in thread: Ian Sharkey: "Re: about shell code(expoit code) detector..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <215B2C5D5818D411A5EE00805FC14FBB59FA33@AEGIS-ONE> From: "Petruzel, Oliver" <OliverP@aegisresearch.com> To: 'Chowalit Hody' <chong238803@yahoo.com>, focus-ids@securityfocus.com Subject: RE: about shell code(expoit code) detector... Date: Fri, 17 Aug 2001 14:35:53 -0400
> Dear All
> I see more about vulnerability in buffer overflow
> bug ,now. I find that one point of successing in
> BOF attack is inject shell code (expoit code) in
> buffer... But I think If we can detect expoit code
> before inject to buffer , It will good idea . ..
> Well anyone know about tool / method to detect
> expoit code /shell code.
Well, ill address the question (kinda vague tho) by dumping a whole bunch of
answers here and hopefully one of them helps you out.
1. preventing attack - realtime
2. avoiding BO's when coding.
3. detecting BO's/exploits
1.
commercially, there are several up and comers, and one which has been around
a little while, entercept.
they are a hybrid HIDS of sorts that use "generic signatures" to detect BO's
and exploits in real-time. Dont ask me how they hook into the heap to
observe, im not at that level... but they do have a mechanism which actually
will stop any BO on solaris or NT... even unknown or new ones... cool stuff
there.
http://www.entercept.com
2.
programming.. well, you may try to campaign and convince the world to switch
from C/C++ to ada95 (detects and prevent's BO's itself) or perl (resizes
arrays). not likely, but hey, i wont argue... but C is here to stay for
now. (unless D arrives soon!)
also:
- you may wish to get Genovex.c and run it against your executables,
especially your suid progies.
http://aemiaif.lip6.fr/willy/pub/genovex/
- check out LCLint, or other similar code-checkers, and use it when
programming in C to audit your code: http://lclint.cs.virginia.edu/
3.
Detecting these attacks at the packet or network level is the most popular,
and some would say least effective. You may wish to check out Snort,
Dragon, NFR, or BlackIce IDS softwares... they use one form or another
(packet or protocol analysis) to look for the extra 90 90 90h's and other
signs of -known- exploits and BO's. My only statement is that "detection is
only half the battle..." so good luck. go download snort and play with it!
it's worth the time...
www.networkice.com (BlackICE)
http://www.enterasys.com/ (Dragon)
www.nfr.com (NFR)
www.sourcefire.com (OpenSnort) or the free one at www.snort.com
But to answer your question, it's "YES, there are ways to detect the attacks
and even ways to stop/prvent them ahead of time."
-oliver p.
- Previous message: Ian Sharkey: "Re: about shell code(expoit code) detector..."
- Maybe in reply to: Chowalit Hody: "about shell code(expoit code) detector..."
- Next in thread: Ian Sharkey: "Re: about shell code(expoit code) detector..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
