Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: Re: Detecting exploits/shellcode

Re: Detecting exploits/shellcode

From: Marcus J. Ranum <mjr_at_nfr.net>
Date: Thu, 15 Jun 2000 11:03:39 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
Jonas Eriksson wrote:
>Is it possible to detect buffer-overflow exploits beeing sent
>over the network, execpt for having a database of shellcode?

The straightforward way (looking for strings) is pretty
limited, but it's not impossible to detect buffer overflows.
For example, NFR does it. ;) The way we do it is by protocol
analysis - we monitor the complete protocol under inspection,
so we know when/where buffers of unusual sizes make sense.
For example, large buffers make sense in SMTP DATA but not
in RCPT To:.

As far as I know, we've got the only IDS engine that allows
detailed enough analysis to do this kind of detection. For
sure, you can't do it just by looking for strings. ;) We
knew that years ago but everyone else only just now seems
to be figuring it out. ;)

mjr.

-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work: http://www.nfr.net
Personal: http://pubweb.nfr.net/~mjr
Received on Jun 15 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]