Re: Obfuscated shellcode

From: Aaron Turner (aturner_at_pobox.com)
Date: 02/01/04

  • Next message: Aaron Turner: "Re: Obfuscated shellcode" 
    Date: Sun, 1 Feb 2004 12:29:49 -0800
To: Don Parker <dparker@rigelksecurity.com>

    Don,

    While most IDS's will detect a NOOP sled, any IDS worth it's salt which has
    a signature for an exploit won't rely on it. Rather it will use something
    unique to the exploit which can't (at least easily) changed to avoid
    detection.

    Also, in my experiance most corporations update their signatures about as
    often as feasible (a combination of how often the IDS vendor updates the
    signatures and how easy it is to push the update to the sensors). Any
    organization which isn't using the latest signature set is wasting their
    effort and $$$. Ie, if you have to carefully manage your signature set
    and delay updating your sensors because things might horribly break
    without a way to manage that risk, then you should find another IDS
    vendor. 

    -- 
Aaron Turner <aturner at pobox.com|synfin.net>  http://synfin.net/
They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
On Sun, Feb 01, 2004 at 12:38:32PM -0500, Don Parker wrote:
> Hello all, do any of you bother using obfuscated eggs during a pentest? I ask here for I 
> got no responses elsewhere. Though changing the well known x90 sled to some other 1 byte 
> function that won't affect the egg won't work against a patched service it will, however 
> elude an IDS signature.  
>  
> Quite a few large corporations may get updated signatures relatively quickly but, they 
> often do not patch for sometime due to baseline rollouts. Hence using an obfuscated egg 
> to slip past the IDS. This technique is not new, but it is becoming more well known. 
> There are some mitigaing factors here which could affect this such as application layer 
> firewalls and the such. I would however be interested in your thoughts on this. I have 
> not seem much discussion anywhere on this topic.

  • Next message: Aaron Turner: "Re: Obfuscated shellcode"

    Relevant Pages

    • Re: Zone Alarm versus Sygate
      ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
      (comp.security.firewalls)
    • Re: How to choose an IDS/FW MSS provider
      ... What is the best way to evade an IDS? ... Open sigs for an IDS/IPS does more harm then good IMO. ... IE a SKILLED attacker wants to attack my network, ... what is out there, a closed signature set, and the ABILITY to add your ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verifcation.
      ... if the IDS is trying to be "smart" it may not listen on ports ... listening in order to get the IDS to see an attack. ... > Subject: Re: Best Methodfor signature verifcation. ... > false positives ...
      (Focus-IDS)
    • RE: How to choose an IDS/FW MSS provider
      ... Andrew, I can't completely agree with you. ... their IDS - may be this is the reason for thinking that great amount FPs is ... to admin to do something or not. ... Thus my point - while seeing the details of a signature is fascinating ...
      (Focus-IDS)
    • RE: Updating Enterasys Dragon NIDS signature...
      ... signature set in each time. ... with someone in the Dragon group). ... Updating Enterasys Dragon NIDS signature... ... Test Your IDS ...
      (Focus-IDS)