[Snort-sigs] Pattern Matching in encoded Shellcode

felix.matenaar@...3492... felix.matenaar at ...3491...
Sat Apr 24 07:07:55 EDT 2010

I ve not tested it but i could imagine that shellcode detection would
have some advantages instead of exploitation detection. In exploitation
detection you have to know the exploit. Shellcode detection requires to
know the shellcode or the method used by it. But exploits are a lot more
individual than shellcode (correct me if I m wrong). That would mean
that shellcode detection could be used to detect 0-days in case that
known shellcode or shellcode-techniques are used in a performant manner.

Jason Brvenik wrote:
> My point is that the shellcode is irrelevant when you detect
> exploitation of the vuln. Simple case would be detecting >20 bytes
> passed to a 20 byte buffer.
> I can think of some cases where you would end up with split vectors,
> payloads sent apart from exploitation, but none of them would require
> shellcode deection if you detect >20 bytes passed to a 20 byte buffer.
> I was looking for a use case outside exploitation where it would have
> applicability. EG: vuln in unescape itself types if things.
> The VRT NRT release would have direct applicability in those use cases
> for file formats at least.

More information about the Snort-sigs mailing list