-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to throw in my $0.02.... Detecting the possibility that a set of information could be polymorphic shellcode is the smaller 1/2 of the game. It seems a semi-trivial task to detect an arbitrary number of NOOP instrtuctions that happen to lie in a row. The difficult task is differentiating between any randomly occuring NOP set and a set of NOPs that are actually occuring in an exploit condition. It is the ability to make this differentiation that polymorphic shellcode actually hinders; as the polymorphic engine increases in effectiveness, the ability to differentiate between a piece of shellcode and a random bit stream effectively goes to zero. The point is made more simply: finding 50-60 NOPs in a row in a given datastream doesn't indicate that the given datastream is shellcode any more than it indicates that it's any other piece of random binary data. And the difficulty in making that determination is what determines the number of false positives that your detection engine is going to have. And, of course, as Stefan Axelsson pointed out (http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf), the actual measure of an IDS's effectiveness comes from its ability to limit *false-positives*, not from limiting false-negatives (which, of course, makes most current commercial IDS offerings look pretty weak). Specifically, the more alerts that fire on email/images/random traffic as "shellcode", the less effective any sort of IDS becomes. Thus, in my opinion, until one finds a reliable way to determine what is obfuscated/encrypted/polymorphic shellcode and what is not, the ability to have an effective IDS against that type of attack is impossible. My $0.02... Mike On Saturday 26 January 2002 10:53 am, Charles 'core' Stevenson wrote: > The code is interesting and pretty nice except that it detects just > about anything as shellcode. Even the last e-mail I sent out to you and > forgot to CC to the list. ;-) > > IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25 > Dumping data: > Message-ID: <3C52F9DA.451181D7at_private > m>..Date: Sat, 26 Jan 2002 11:47:54 -070 > 0..From: Charles 'core' Stevenson <core@ > bokeoa.com>..Reply-To: coreat_private > X-Mailer: Mozilla 4.7 [en] (X11; I; Linu > x 2.4.15-pre4 ppc)..X-Accept-Language: e > n..MIME-Version: 1.0..To: Robert Flicker > <robert_flickerat_private>..Subject: > Re: [NGSEC] Whitepaper Released: Polymor > phic shellcodes vs. .. ApplicationIDSs.. > References: <F153nHxRKYblf8nFJ3V0001881d > @hotmail.com>..Content-Type: text/plain; > charset=us-ascii..Content-Transfer-Enco > ding: 7bit....But it also detected the l > ast e-mail I sent as shellcode.....Haha. > .....peace,..core....Robert Flicker wrot > e:..> ..> Hi charles:..> ..> Have you te > sted the sourcecode that comes with the > paper:..> ..> http://www.ngsec.com/downl > oads/misc/NIDSfindshellcode.tgz..> ..> A > s far as i know is the first public code > that does this stuff...> It may be not > hot-news but i think it worth the downlo > ad, and is a better..> solution for curr > ent IDS than your exoteric thoughts with > Neuronal Networks..> and distributed si > gnature checking... INMHO uimplementable > in current IDS..> technologies...> ..> > Quoting from www.snort.org:..> ..> "Pape > r: Polymorphicisms be gone..> .....> His > ideas revolve around counting multiple > NOP type operations in a row and..> aler > ting when a threshold is reached. The id > ea has been kicked around for a..> while > , but this is the first one that I have > seen in actual implementation...> .....> > "..> ..> Current snort branch and its t > echnique to detect shellcode is very eas > y..> foolable ;P... NIDSfindshellcode is > also foolable but in a harder way...> . > .> Robert Flicker..> ..> _______________ > ________________________________________ > __________..> Join the world?s largest e > -mail service with MSN Hotmail...> http: > //www.hotmail.com..... > > Best Regards, > Charles Stevenson > > Robert Flicker wrote: > > Hi charles: > > > > Have you tested the sourcecode that comes with the paper: > > > > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz > > > > As far as i know is the first public code that does this stuff. > > It may be not hot-news but i think it worth the download, and is a better > > solution for current IDS than your exoteric thoughts with Neuronal > > Networks and distributed signature checking... INMHO uimplementable in > > current IDS technologies. > > > > Quoting from www.snort.org: > > > > "Paper: Polymorphicisms be gone > > ... > > His ideas revolve around counting multiple NOP type operations in a row > > and alerting when a threshold is reached. The idea has been kicked around > > for a while, but this is the first one that I have seen in actual > > implementation. ... > > " > > > > Current snort branch and its technique to detect shellcode is very easy > > foolable ;P... NIDSfindshellcode is also foolable but in a harder way. > > > > Robert Flicker > > > > _________________________________________________________________ > > Join the world?s largest e-mail service with MSN Hotmail. > > http://www.hotmail.com - -- _____________________________________________________ | Mike Murray <orestesat_private> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Uw1qzh1RVm1QrUwRAukCAKCWWZd2t7rOaAtsqlmlRysb63lsmwCaAgVm lOj4KLlat2jpVFAyuNzkkx4= =b4c0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Jan 26 2002 - 18:53:24 PST