Hi charles:

Have you tested the sourcecode that comes with the paper:

http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz

As far as i know is the first public code that does this stuff.
It may be not hot-news but i think it worth the download, and is a better
solution for current IDS than your exoteric thoughts with Neuronal Networks
and distributed signature checking... INMHO uimplementable in current IDS
technologies.

Quoting from www.snort.org:

"Paper: Polymorphicisms be gone
...
His ideas revolve around counting multiple NOP type operations in a row and
alerting when a threshold is reached. The idea has been kicked around for a
while, but this is the first one that I have seen in actual implementation.
...
"

Current snort branch and its technique to detect shellcode is very easy
foolable ;P... NIDSfindshellcode is also foolable but in a harder way.

Robert Flicker

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]