Intrusion Detection Systems mailing list archives

Re: Detecting exploits/shellcode

From: robert_david_graham () yahoo com (Robert Graham)
Date: Thu, 15 Jun 2000 14:58:34 -0700 (PDT)


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--- "Marcus J. Ranum" <mjr () nfr net> wrote:

Jonas Eriksson wrote:

Is it possible to detect buffer-overflow exploits beeing sent
over the network, execpt for having a database of shellcode?


The straightforward way (looking for strings) is pretty
limited, but it's not impossible to detect buffer overflows.
For example, NFR does it. ;) The way we do it is by protocol
analysis - we monitor the complete protocol under inspection,
so we know when/where buffers of unusual sizes make sense.
For example, large buffers make sense in SMTP DATA but not
in RCPT To:.

As far as I know, we've got the only IDS engine that allows
detailed enough analysis to do this kind of detection.


Um. BlackICE works this way, too.

This is one of the problems with evaluating IDSs. There are numerous packages
that have overflows in the username/password login sequence. There are numerous
published exploits for these, often for multiple CPUs. The combination means
that you could easily have an IDS that has hundreds of "signatures" for all the
different possibilities. BlackICE (and presumably NFR) has only a couple
signatures that detects when the length of the field is unusually long. This is
why both NFR and Network ICE quote a range of "signatures" rather than a single
number, because it depends on how you count.

For
sure, you can't do it just by looking for strings. ;) We
knew that years ago but everyone else only just now seems
to be figuring it out. ;)


Well, you can. A usual feature of shell-code is a long string of NOOPs (machine
language 'no operation' instructions) before the actual code. The NOOP code on
the Intel X86 CPU is a "90", so IDSs like Dragon and Snort will look for a long
string of 90 90 90 90 in any packet that goes across the wire. The upside is
that it can detect buffer overflows in protocols not analyzed by BlackICE or
NFR. The downside is that this leads to higher false positives; in the olden
days before I got nicer, I would fill the GIF color tables with 909090 on my
website in order to have fun with such IDSs at the user end. An example GIF is
at:
http://www.robertgraham.com/images/909090.gif

Rob.

 

=====
Robert Graham  http://www.robertgraham.com/pubs

__________________________________________________
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com

Current thread:

Detecting exploits/shellcode Jonas Eriksson (Jun 15)
- Re: Detecting exploits/shellcode diphen () agitation net (Jun 15)
- Re: Detecting exploits/shellcode Marco Vaz (Jun 15)
- FW: Snort 1.6 and nmap 2.54beta1 Mila, Brian D (Jun 15)
- <Possible follow-ups>
- Re: Detecting exploits/shellcode Marcus J. Ranum (Jun 15)
  - Re: Detecting exploits/shellcode Ron Gula (Jun 15)
    - Re: Detecting exploits/shellcode Max Vision (Jun 16)
    - Re: Detecting exploits/shellcode Max Vision (Jun 17)
  - Testing Message at 12:35 idsmlist owner (Jun 15)
  - Testing Message at 15:45 idsmlist owner (Jun 16)
- Re: Detecting exploits/shellcode Robert Graham (Jun 15)
- Re: Detecting exploits/shellcode Mark.Teicher () predictive com (Jun 15)
  - Re: Detecting exploits/shellcode John Bradberry (Jun 16)
  - Re: Detecting exploits/shellcode turnere (Jun 16)
- Re: Detecting exploits/shellcode Max Vision (Jun 16)