Re: Detecting exploits/shellcode

[turnere () MimeStar com (turnere)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Thu, 15 Jun 2000 Mark.Teicher () predictive com wrote:
> -----------------------------------------------------------------------------
> Actually, NFR is one of two companies that can do packet de-assembly. and 
> detection analysis.
>
> A free 2XL NFR jacket to the one who can name the second.. :)

SecureNet PRO has this capability, and much more.  Using the SNP-L
scripting language, one can inspect packets or stream data on any of the
major protocol layers.  This allows for inspection of raw Ethernet frames,
IP packet data, TCP/UDP packets, or actual reassembled TCP connection
streams.  In addition, all fragmented IP data is reassembled and all
out-of-order or overlapping TCP segments are also reconstructed.

Arbitrary state information (such as user login state, number of login
attempts seen in a transaction, number of server errors) can be stored
in a global pool, or pools tied to specific connection circuits, monitored
hosts, and so on.

As far as I know, SNP-L is also the only attack detection scripting
language which offers a byte-code compiler (allowing SNP-L scripts to be
compiled once, and saved to disk as byte-code for quick reloading),
multi-dimensional array support, tunable memory utilization high-water
marks, and so on.

So where's my free NFR jacket?  Who should I contact with my address? =)
Thanks,

Elliot Turner
turnere () MimeStar com
(540) 953-3006
http://www.MimeStar.com
MimeStar, Inc.
> /mark
>
>
>
>
> "Marcus J. Ranum" <mjr () nfr net>
> Sent by: owner-ids () uow edu au
> 06/15/00 08:03 AM
>
>  
>         To:     Jonas Eriksson <je () sekure net>, ids () uow edu au
>         cc: 
>         Subject:        Re: IDS: Detecting exploits/shellcode
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> Jonas Eriksson wrote:
> > Is it possible to detect buffer-overflow exploits beeing sent
> > over the network, execpt for having a database of shellcode?
>
> The straightforward way (looking for strings) is pretty
> limited, but it's not impossible to detect buffer overflows.
> For example, NFR does it. ;) The way we do it is by protocol
> analysis - we monitor the complete protocol under inspection,
> so we know when/where buffers of unusual sizes make sense.
> For example, large buffers make sense in SMTP DATA but not
> in RCPT To:.
>
> As far as I know, we've got the only IDS engine that allows
> detailed enough analysis to do this kind of detection. For
> sure, you can't do it just by looking for strings. ;) We
> knew that years ago but everyone else only just now seems
> to be figuring it out. ;)
>
> mjr.
>
> -----
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work:                  http://www.nfr.net
> Personal:              http://pubweb.nfr.net/~mjr