Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting exploits/shellcode

From: mjr () nfr net (Marcus J. Ranum)
Date: Thu, 15 Jun 2000 11:03:39 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Jonas Eriksson wrote:

Is it possible to detect buffer-overflow exploits beeing sent
over the network, execpt for having a database of shellcode?


The straightforward way (looking for strings) is pretty
limited, but it's not impossible to detect buffer overflows.
For example, NFR does it. ;) The way we do it is by protocol
analysis - we monitor the complete protocol under inspection,
so we know when/where buffers of unusual sizes make sense.
For example, large buffers make sense in SMTP DATA but not
in RCPT To:.

As far as I know, we've got the only IDS engine that allows
detailed enough analysis to do this kind of detection. For
sure, you can't do it just by looking for strings. ;) We
knew that years ago but everyone else only just now seems
to be figuring it out. ;)

mjr.

-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://pubweb.nfr.net/~mjr
Previous By Date Next
Previous By Thread Next

Current thread: