|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Charles 'core' Stevenson (core
bokeoa.com)Date: Sat Jan 26 2002 - 12:53:36 CST
The code is interesting and pretty nice except that it detects just
about anything as shellcode. Even the last e-mail I sent out to you and
forgot to CC to the list. ;-)
IA32 shellcode found: Protocol TCP 127.0.0.1:57118 -> 127.0.0.1:25
Dumping data:
Message-ID: <3C52F9DA.451181D7bokeoa.co
m>..Date: Sat, 26 Jan 2002 11:47:54 -070
0..From: Charles 'core' Stevenson <core
bokeoa.com>..Reply-To: corebokeoa.com..
X-Mailer: Mozilla 4.7 [en] (X11; I; Linu
x 2.4.15-pre4 ppc)..X-Accept-Language: e
n..MIME-Version: 1.0..To: Robert Flicker
<robert_flickerhotmail.com>..Subject:
Re: [NGSEC] Whitepaper Released: Polymor
phic shellcodes vs. .. ApplicationIDSs..
References: <F153nHxRKYblf8nFJ3V0001881d
hotmail.com>..Content-Type: text/plain;
charset=us-ascii..Content-Transfer-Enco
ding: 7bit....But it also detected the l
ast e-mail I sent as shellcode.....Haha.
.....peace,..core....Robert Flicker wrot
e:..> ..> Hi charles:..> ..> Have you te
sted the sourcecode that comes with the
paper:..> ..> http://www.ngsec.com/downl
oads/misc/NIDSfindshellcode.tgz..> ..> A
s far as i know is the first public code
that does this stuff...> It may be not
hot-news but i think it worth the downlo
ad, and is a better..> solution for curr
ent IDS than your exoteric thoughts with
Neuronal Networks..> and distributed si
gnature checking... INMHO uimplementable
in current IDS..> technologies...> ..>
Quoting from www.snort.org:..> ..> "Pape
r: Polymorphicisms be gone..> .....> His
ideas revolve around counting multiple
NOP type operations in a row and..> aler
ting when a threshold is reached. The id
ea has been kicked around for a..> while
, but this is the first one that I have
seen in actual implementation...> .....>
"..> ..> Current snort branch and its t
echnique to detect shellcode is very eas
y..> foolable ;P... NIDSfindshellcode is
also foolable but in a harder way...> .
.> Robert Flicker..> ..> _______________
________________________________________
__________..> Join the world?s largest e
-mail service with MSN Hotmail...> http:
//www.hotmail.com.....
Best Regards,
Charles Stevenson
Robert Flicker wrote:
>
> Hi charles:
>
> Have you tested the sourcecode that comes with the paper:
>
> http://www.ngsec.com/downloads/misc/NIDSfindshellcode.tgz
>
> As far as i know is the first public code that does this stuff.
> It may be not hot-news but i think it worth the download, and is a better
> solution for current IDS than your exoteric thoughts with Neuronal Networks
> and distributed signature checking... INMHO uimplementable in current IDS
> technologies.
>
> Quoting from www.snort.org:
>
> "Paper: Polymorphicisms be gone
> ...
> His ideas revolve around counting multiple NOP type operations in a row and
> alerting when a threshold is reached. The idea has been kicked around for a
> while, but this is the first one that I have seen in actual implementation.
> ...
> "
>
> Current snort branch and its technique to detect shellcode is very easy
> foolable ;P... NIDSfindshellcode is also foolable but in a harder way.
>
> Robert Flicker
>
> _________________________________________________________________
> Join the world?s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]