Hello Charles: Maybe thats why paper's title said "Application IDS" not "Network IDS". I do not know why proof of technique is a NIDS (maybe is a more straight forward test rather than to test it on an application). It also said in paper, that in order to implement this code in your Application IDS, you should set NOP_NUMBER to a value that fits your application and input data. Probably it isn't the ultimate solution for polymorphic shellcode regognition but is a better solution rather than high bit recognition technique of secureiis of eeye. Focusing on web server application IDS, i only know of eeye's secureiis (www.eeye.com) and ngsec's ngsecureweb (www.ngsec.com). I did the following test: Under two diferent platforms: MS W2k IIS 5.0 and Linux Apache 1.3.23 I set up a common php and asp for uploading webpages and images. And uploaded 10 random 10k images/html with POST Method. Results: - ngsecureweb: raised no shellcode recognition alarm. - secureiis: raised two alarms. Fond Regards. .RF >From: Charles 'core' Stevenson <coreat_private> >Reply-To: coreat_private >To: Robert Flicker <robert_flickerat_private> >Subject: Re: [NGSEC] Whitepaper Released: Polymorphic shellcodes vs. >ApplicationIDSs >Date: Sat, 26 Jan 2002 11:47:13 -0700 > >Robert, > >I missed the code. It's very nice. I just expected to see more detail in >the Whitepaper. > >(echo "GET ";./test 0)|nc localhost 80 <-- detected >(echo "GET ";./execve)|nc localhost 80 <-- linux/ppc execve not detected > >Let's try some variations and see... perhaps if I give 200 nops. > >(echo "GET ";perl -e 'print "\x60"x200';./execve)|nc localhost 80 <-- >detected although not correctly but no matter > >NIDS_shellcode v0.1 by Fermín J. Serna <fjsernaat_private> >Next Generation Security Technologies >http://www.ngsec.com > >IA32 shellcode found: Protocol TCP 127.0.0.1:57102 -> 127.0.0.1:80 >Dumping data: >GET .B/].@XOTW.DK.J..'7G.D_/...KE]VH.^XP >.^Dat_private@XH.S.IEG...OP_YJ.[.IM >A....FZO.RU?N?]H'.EOB.CVW[T.XSA7.].CJJSA >JMN7/].GTZ..UP....`.HL].'.XP.WKFH@7HEE.. >.WZJV.O.L.KY..FZIXTP].Z..`L7E[.BQUEE.PYS >AG.TLLQYRDVV.K]G.]L]Q.TC......W`.7M/.X7L >.7.ONCEVBS_HK.]RUR^X. > >IA32 shellcode found: Protocol TCP 127.0.0.1:57107 -> 127.0.0.1:80 >Dumping data: >```````````````````````````````````````` >```````````````````````````````````````` >```````````````````````````````````````` >```````````````````````````````````````` >```````````````````````````````````````` >|.*x@.......;..08....a......8...;..`...p >D.../bin/sh > > >Best Regards, >Charles Stevenson > >Robert Flicker wrote: > > Have you tested the sourcecode that comes with the paper: > > > > http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz > > > > As far as i know is the first public code that does this stuff. > > It may be not hot-news but i think it worth the download, and is a >better > > solution for current IDS than your exoteric thoughts with Neuronal >Networks > > and distributed signature checking... INMHO uimplementable in current >IDS > > technologies. > > > > Quoting from www.snort.org: > > > > "Paper: Polymorphicisms be gone > > ... > > His ideas revolve around counting multiple NOP type operations in a row >and > > alerting when a threshold is reached. The idea has been kicked around >for a > > while, but this is the first one that I have seen in actual >implementation. > > ... > > " > > > > Current snort branch and its technique to detect shellcode is very easy > > foolable ;P... NIDSfindshellcode is also foolable but in a harder way. > > > > Robert Flicker > > > > _________________________________________________________________ > > Join the world?s largest e-mail service with MSN Hotmail. > > http://www.hotmail.com _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 09:17:32 PST