Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting exploits/shellcode

From: vision () whitehats com (Max Vision)
Date: Sat, 17 Jun 2000 08:40:56 -0700 (PDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Fri, 16 Jun 2000, Max Vision wrote:

On Thu, 15 Jun 2000, Ron Gula wrote:

[*] Connection modeling. In some cases, connections to email or
    web servers which last for several hours may be of concern.

This is really good stuff! Doesn't necessarily relate to buffer overflows
at all, but it's a good consideration. :) There are a few sessions that


Hi,

I was wrong here to say this was unrelated.  My posts are lagged by
probably ten hours so there may already be some flames on their way, but I
thought I'd follow up - yes this can have a *lot* to do with detecting
buffer overflows.

Specifically, many exploits consist of shellcode that, instead of
executing a separate activity, spawn an interactive shell replacing the
daemon process that was exploited.  It didn't initially occur to me that a
naive attacker might actually use this intereactive shell for any length
of time.

Max
Previous By Date Next
Previous By Thread Next

Current thread: