[Snort-users] What to do with malicius encrypted code!??i

Matt Kettler mkettler at ...4108...
Tue Feb 3 14:05:39 EST 2004

At 02:52 PM 2/2/2004, soldier Mx wrote:
>i think so,
>if somebody send malicious code encrypted, like the
>exploits or something, the IDS are useless!,
>what do u think, or what to do against that. !?

Well, just because the malicious payload is encrypted does not make an IDS 

Fundamentally they need to be using _some_ mechanism to get the code 
executed in the first place... and overflow or some other exploit.

Here you're looking for signs of attack before the code is delivered.. and 
many snort sigs work this way (although I'd argue some snort sigs are 
incorrectly written and are exclusive to a particular proof-of-concept 
code, this isn't the general case).

More information about the Snort-users mailing list