Re: Polymorphic Shellcode detection

From: Jeremy Bennett <jeremy_f_bennett(at)yahoo.com>
Date: Tue May 06 2003 - 17:36:52 EDT

ADMutate exploited weaknesses in the purely signature-based IDS. By avoiding the patterns that the IDS looks for and accomplishing the same goal it was able to circumvent the stored patterns. IDS technology has moved past purely pattern matching approaches. Even ISS has some level of protocol analysis built in and I do not believe it is still confused by ADMutate. The success of the protocol anamoly detection systems like ManHunt (now owned by Symantec) and BlackICE (now owned by ISS) proved that you can not rely soly on pattern matching.

There are really two important aspects to intrusion detection. The first is to detect that something has happened that was not supposed to. The second is to provide enough information to the operator so that he or she can respond to the threat, either by patching, blocking, or shutting down a service.

ADMutate may still do a good job of hindering the second approach for some poorly written signatures but I'm fairly certain it is no longer a tool that can totally evade today's IDS.

-J
--- ulfabodo <ulfabodo@rediffmail.com> wrote:
> Hi,
> i wanted to find if the present ids'es are able to detect

---

> Can you respond to attacks based on attack type, severity, source IP,

---

>

---

Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No?
No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2

---

Received on Tue May 6 17:56:46 2003