[Snort-sigs] Pattern Matching in encoded Shellcode

Matt Olney molney at ...435...
Sat Apr 24 07:52:01 EDT 2010


We are certainly doing research in both.  Check the preso at labs.snort.org/nrt 
  for an example of our research in that area.

Handling multi-byte XORing is challenging at linedpeed, but with a bit  
of time on the side it's doable.

Sent from my iPhone

On Apr 24, 2010, at 1:07 PM, "felix.matenaar at ...3492..." <felix.matenaar at ...3491... 
 > wrote:

> I ve not tested it but i could imagine that shellcode detection would
> have some advantages instead of exploitation detection. In  
> exploitation
> detection you have to know the exploit. Shellcode detection requires  
> to
> know the shellcode or the method used by it. But exploits are a lot  
> more
> individual than shellcode (correct me if I m wrong). That would mean
> that shellcode detection could be used to detect 0-days in case that
> known shellcode or shellcode-techniques are used in a performant  
> manner.
>
>
> Jason Brvenik wrote:
>>
>> My point is that the shellcode is irrelevant when you detect
>> exploitation of the vuln. Simple case would be detecting >20 bytes
>> passed to a 20 byte buffer.
>>
>> I can think of some cases where you would end up with split vectors,
>> payloads sent apart from exploitation, but none of them would require
>> shellcode deection if you detect >20 bytes passed to a 20 byte  
>> buffer.
>>
>> I was looking for a use case outside exploitation where it would have
>> applicability. EG: vuln in unescape itself types if things.
>>
>> The VRT NRT release would have direct applicability in those use  
>> cases
>> for file formats at least.
>>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list