Intrusion Detection Systems mailing list archives
Re: Detecting exploits/shellcode
From: zav () uni pt (Marco Vaz)
Date: Thu, 15 Jun 2000 19:55:49 +0100
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au Jonas Eriksson wrote:
Is it possible to detect buffer-overflow exploits beeing sent over the network, execpt for having a database of shellcode? Should it be possible somehow to decode the assembler code beeing sent, or am i wrong? -- Jonas Eriksson
A database is not a good approach. machine code sent to a vulnerable machine can be self modifying code (since the area attacked must be writeble), it can pass on the wire 'encrypted' and 'decrypt' in run-time. It is possible to analyze the machine code but not just comparing strings. shell code can have some key points (like getting the address where code is, and some system calls) but this can vary a lot. If the attacker has some brainware he/she can make his own code, diferent from the more used ones. Marco Vaz
Current thread:
- Detecting exploits/shellcode Jonas Eriksson (Jun 15)
- Re: Detecting exploits/shellcode diphen () agitation net (Jun 15)
- Re: Detecting exploits/shellcode Marco Vaz (Jun 15)
- FW: Snort 1.6 and nmap 2.54beta1 Mila, Brian D (Jun 15)
- <Possible follow-ups>
- Re: Detecting exploits/shellcode Marcus J. Ranum (Jun 15)
- Re: Detecting exploits/shellcode Ron Gula (Jun 15)
- Re: Detecting exploits/shellcode Max Vision (Jun 16)
- Re: Detecting exploits/shellcode Max Vision (Jun 17)
- Re: Detecting exploits/shellcode Ron Gula (Jun 15)
- Testing Message at 12:35 idsmlist owner (Jun 15)
- Testing Message at 15:45 idsmlist owner (Jun 16)
- Re: Detecting exploits/shellcode Robert Graham (Jun 15)
- Re: Detecting exploits/shellcode Mark.Teicher () predictive com (Jun 15)
- Re: Detecting exploits/shellcode John Bradberry (Jun 16)