Well, people have implemented a few techniques. But these techniques, if used on a standalone basis can lead to a lot of false positives. The randomized NOP sleds generated by ADMutate can be detected. See this paper: http://www.cgisecurity.com/lib/polymorphic_shellcodes_vs_app_IDSs.PDF The same technique has been implemented in NIDSFindshellcode and Prelude IDS. Snort's fnord shellcode detection pre-processor also tries to detect these alternate NOP instruction sequence and when the count hits a specific trigger limit, it declares an alarm. These techniques when subjected to large binary data streams generate a lot of false positives. I would say, if the device is doing enchanced protocol parsing there is even no need to detect shellcode. It would detect a malicious attack even before that.
On 11/4/05, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > hi, > does current ids/ips are able to detect attacks such as polymorphic > shell code(adm mutent) or any other such techniques? > _CF > -- > bam bam > ting ding ting ding ting ding > ting ding ting ding ding > i m crazy frog :) > "oh yeah oh yeah... > another wannabe, in hackerland!!!" > > On 10/31/05, Pukhraj Singh <[EMAIL PROTECTED]> wrote: > > Lot of things can be done to evade IPS/IDS. > > > > The tricks vary from protcol to protocol. The difference in the > > decoding mechanism of security appliance and the application server > > can lead to many evasion techniques. I have created and tested many > > mutant exploits and they worked beautifully. The idea is to strike and > > exploit some fundamental concepts of logic and protocols which > > IDS/IPS makers tend to ignore or is simply beyond their device > > capability > > > > Apparently, I haven't documented and organized the work I did. > > > > But here is an introductory paper you should definitely read: > > http://www.cs.ucsb.edu/~rsg/Hidra/Papers/2004_vigna_robertson_balzarotti_CCS04.pdf > > > > --Pukhraj Singh > > > > > > On 10/27/05, tcp fin <[EMAIL PROTECTED]> wrote: > > > Hi Guys , > > > Any tips and tricks or good article on IDS/IPS evasion > > > ? > > > I have beautiful paper "Insertion, Evasion and Denial > > > of Service: > > > Eluding Network Intrusion detection". > > > I need some pointers on RPC based evasion techniques. > > > > > > Regards, > > > TCP FIN . > > > > > > > > > > > > > > > __________________________________ > > > Yahoo! Mail - PC Magazine Editors' Choice 2005 > > > http://mail.yahoo.com > > > > > > ------------------------------------------------------------------------ > > > Test Your IDS > > > > > > Is your IDS deployed correctly? > > > Find out quickly and easily by testing it > > > with real-world attacks from CORE IMPACT. > > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > > to learn more. > > > ------------------------------------------------------------------------ > > > > > > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > ------------------------------------------------------------------------ > > > > > > > - > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
