The code is interesting and pretty nice except that it detects just about anything as shellcode. Even the last e-mail I sent out to you and forgot to CC to the list. ;-) IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25 Dumping data: Message-ID: <3C52F9DA.451181D7at_private m>..Date: Sat, 26 Jan 2002 11:47:54 -070 0..From: Charles 'core' Stevenson <core@ bokeoa.com>..Reply-To: coreat_private X-Mailer: Mozilla 4.7 [en] (X11; I; Linu x 2.4.15-pre4 ppc)..X-Accept-Language: e n..MIME-Version: 1.0..To: Robert Flicker <robert_flickerat_private>..Subject: Re: [NGSEC] Whitepaper Released: Polymor phic shellcodes vs. .. ApplicationIDSs.. References: <F153nHxRKYblf8nFJ3V0001881d @hotmail.com>..Content-Type: text/plain; charset=us-ascii..Content-Transfer-Enco ding: 7bit....But it also detected the l ast e-mail I sent as shellcode.....Haha. .....peace,..core....Robert Flicker wrot e:..> ..> Hi charles:..> ..> Have you te sted the sourcecode that comes with the paper:..> ..> http://www.ngsec.com/downl oads/misc/NIDSfindshellcode.tgz..> ..> A s far as i know is the first public code that does this stuff...> It may be not hot-news but i think it worth the downlo ad, and is a better..> solution for curr ent IDS than your exoteric thoughts with Neuronal Networks..> and distributed si gnature checking... INMHO uimplementable in current IDS..> technologies...> ..> Quoting from www.snort.org:..> ..> "Pape r: Polymorphicisms be gone..> .....> His ideas revolve around counting multiple NOP type operations in a row and..> aler ting when a threshold is reached. The id ea has been kicked around for a..> while , but this is the first one that I have seen in actual implementation...> .....> "..> ..> Current snort branch and its t echnique to detect shellcode is very eas y..> foolable ;P... NIDSfindshellcode is also foolable but in a harder way...> . .> Robert Flicker..> ..> _______________ ________________________________________ __________..> Join the world?s largest e -mail service with MSN Hotmail...> http: //www.hotmail.com..... Best Regards, Charles Stevenson Robert Flicker wrote: > > Hi charles: > > Have you tested the sourcecode that comes with the paper: > > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz > > As far as i know is the first public code that does this stuff. > It may be not hot-news but i think it worth the download, and is a better > solution for current IDS than your exoteric thoughts with Neuronal Networks > and distributed signature checking... INMHO uimplementable in current IDS > technologies. > > Quoting from www.snort.org: > > "Paper: Polymorphicisms be gone > ... > His ideas revolve around counting multiple NOP type operations in a row and > alerting when a threshold is reached. The idea has been kicked around for a > while, but this is the first one that I have seen in actual implementation. > ... > " > > Current snort branch and its technique to detect shellcode is very easy > foolable ;P... NIDSfindshellcode is also foolable but in a harder way. > > Robert Flicker > > _________________________________________________________________ > Join the world?s largest e-mail service with MSN Hotmail. > http://www.hotmail.com
This archive was generated by hypermail 2b30 : Sat Jan 26 2002 - 11:16:19 PST