[Snort-users] What to do with malicius encrypted code!??i
mkettler at ...4108...
Tue Feb 3 14:05:39 EST 2004
At 02:52 PM 2/2/2004, soldier Mx wrote:
>i think so,
>if somebody send malicious code encrypted, like the
>exploits or something, the IDS are useless!,
>what do u think, or what to do against that. !?
Well, just because the malicious payload is encrypted does not make an IDS
Fundamentally they need to be using _some_ mechanism to get the code
executed in the first place... and overflow or some other exploit.
Here you're looking for signs of attack before the code is delivered.. and
many snort sigs work this way (although I'd argue some snort sigs are
incorrectly written and are exclusive to a particular proof-of-concept
code, this isn't the general case).
More information about the Snort-users