Re: Polymorphic Shellcode detection

From: Krzysztof Zaraska (kzaraska_at_student.uci.agh.edu.pl)
Date: 05/06/03

  • Next message: Jeremy Bennett: "Re: Polymorphic Shellcode detection" 
    Date: Tue, 6 May 2003 23:41:38 +0200
To: "ulfabodo" <ulfabodo@rediffmail.com>

    On 6 May 2003 11:23:40 -0000
    "ulfabodo" <ulfabodo@rediffmail.com> wrote:

    > Hi,
    > i wanted to find if the present ids'es are able to detect
    > ploymorphic shellcodes a.k.a the ADMmutate and its variants. i had
    > just gone through K2's article and at that time he claims that ISS
    > was not able to detect the method which he has given.
    > What about the other IDS vendors? Have they been able to detect
    > such exploits?

    Prelude NIDS 0.8.0 and later include ShellCode plugin that should detect
    polymorphic shellcodes.

    > Can anyone throw some light on how the detection mechanism might work??

    Take a look at:

    http://www.ngsec.com/docs/whitepapers/polymorphic_shellcodes_vs_app_IDSs.PDF

    AFAIK Prelude's implementation is not documented (well, you have the
    source ;)), but IIRC works around the same concept (counting
    NOP-equivalent instructions in a single string and alerting once threshold
    is exceeded).

    Regards,
    Krzysztof 

    -- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem

  • Next message: Jeremy Bennett: "Re: Polymorphic Shellcode detection"
    • Quantcast