Gary Flynn wrote:
I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?
Don't tell this to David Maynor, who some time ago claimed that no IDPS
vendor does this :)
(http://erratasec.blogspot.com/2007/03/yet-more-blogging-blackhat.html)
In fact, that's a quite common approach which does not work, as I
illustrated maybe even too many times:
http://www.blackhat.com/presentations/bh-dc-07/Zanero/Presentation/bh-dc-07-Zanero.pdf
Doing the same thing over with scripts is just as silly. You cannot
decode everything at the speed that you need, and in addition, as it was
pointed out in 1998 (TEN YEARS ago) by Ptacek and Newsham, trying to
cope with all the possible ways to create insertion or evasion attacks
will automatically generate a load of false positives.
Best,
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
