[Snort-devel] Re: CanSecWest and ADMutate

Martin Roesch roesch at ...48...
Tue Apr 3 23:50:38 EDT 2001

Yeah, I'm here.  Basically what was described was code that
auto-generates a decoder and then encodes the shell code to work with
the generated decoder.  I haven't taken that close a look at it, but
there are a number of ways that we can use to pick it up.

I've been thinking of a few different methods to pick this up since the
presentation.  I need to analyze how random the generated code truly is
first, we may be able to pick it up with standard pattern matching...

There are a few other ways that we could try to pick it up.  I've been
thinking that there are several anamalous things that we can pick out of
a lot of buffer overflows without doing any explicit pattern matching. 
Here's a few thoughts:

1) Buffer overflows against text-only services can be picked up by
checking the payload for characters that are outside the standard text

2) Checking data size against the current function being accessed in the
application being overflowed.  For instance, a POP3 "USER" command
probably will rarely exceed 100 characters.  We can scan for the command
and check the data size of the packet at the same time (we can also use
the stream reassembler to build the packets that the application will

3) Response anomaly detection.  Watch what comes back from the servers
and see if it matches expected responses.

All of these things can be combined to make sets of rules to detect not
just direct intrusions, but the *conditions* of intrusions being
exploited.  It's part anomaly detection, part signature detection, part
exception matching.

This would be better handled in Snort if we could assign a "confidence"
to detection by checking against multiple associated rules and issue
events with a level of certainty based on the number of conditions of
the event that were satisfied.

Something like that.  As with all things in this game, it's
measure-contermeasure.  We'll come up with a decent detection
methodology and the other side will come up with a new evasion


"Caruso, Anthony J." wrote:
> W.:
> Yes K2 gave a presentation on techniques and an API to "morph" shell code
> and evade IDS systems.  Try www.ktwo.ca/security or
> ftp://ADM.freelsd.net/pub/ADM the presentation & API may be there by now.
> Marty - you where there & you know NIDS better than most - what was your
> take?
> -Tony
> > -----Original Message-----
> > From: Vitaly Osipov [SMTP:vosipov at ...367...]
> > Sent: Tuesday, April 03, 2001 9:15 AM
> > To:   FOCUS-IDS at ...84...
> > Subject:      CanSecWest and ADMutate
> >
> > I've seen some news stories like
> > http://www.zdnet.co.uk/news/2001/13/ns-22021.html today - saying somebody
> > called K2 from ADCrew presented on CanSecWest a program for IDS evasion
> > (as
> > far as I understand, though the descriptions are very vague). Has somebody
> > been there and can shed a light on this? is really so c00l as news says or
> > is it just another fragrouter? :)
> >
> > regards,
> > W.

More information about the Snort-devel mailing list