Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. ApplicationIDSs

From: Robert Flicker (robert_flicker@hotmail.com)
Date: 01/26/02 

From: "Robert Flicker" <robert_flicker@hotmail.com>
To: vuln-dev@securityfocus.com
Date: Sat, 26 Jan 2002 09:55:37 +0000

Hi charles:

Have you tested the sourcecode that comes with the paper:

http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz

As far as i know is the first public code that does this stuff.
It may be not hot-news but i think it worth the download, and is a better
solution for current IDS than your exoteric thoughts with Neuronal Networks
and distributed signature checking... INMHO uimplementable in current IDS
technologies.

Quoting from www.snort.org:

"Paper: Polymorphicisms be gone
...
His ideas revolve around counting multiple NOP type operations in a row and
alerting when a threshold is reached. The idea has been kicked around for a
while, but this is the first one that I have seen in actual implementation.
...
"

Current snort branch and its technique to detect shellcode is very easy
foolable ;P... NIDSfindshellcode is also foolable but in a harder way.

Robert Flicker

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com