Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting exploits/shellcode

From: diphen () agitation net (diphen () agitation net)
Date: Thu, 15 Jun 2000 14:40:48 +0000

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
The rules many people have put together for snort typically look for the
NOP padding, so basically NOPs going across the wire.  You could
obviously look for any binary data, such as shellcode, but there's a lot of
it out there so you're probably better off looking for specifics like
NOPs.

-gabe

On Thu, Jun 15, 2000 at 09:30:15AM +0200, Jonas Eriksson wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

Is it possible to detect buffer-overflow exploits beeing sent 
over the network, execpt for having a database of shellcode?

Should it be possible somehow to decode the assembler code
beeing sent, or am i wrong?


-- 
Jonas Eriksson
Previous By Date Next
Previous By Thread Next

Current thread: