Cisco Support Community
Community Member

polimormorphic shell code, optimizing evasive detection configuration

Are there general signatures within the code base-4 image that deal with polimorphic shell code algorithms ?

Is there a way of creating an effective custom signature given the signature micro engines that would achieve a reasopnable degree of detection?

It is indicated that when using non-IDSM devices supported by IDS MC, the product of the Maximum Partial Datagrams and the Maximum Fragments Per Datagram remains less than or equal to 2,000,000. What variables would you suggest for a product less than or equal to 2,000,000 for a configuration optimized to detect split evasive techniques? Likewise for TCP Session Reassembly. Suppose a best case scenario, where the impact of hardware limitations is not considered is the equation.


Re: polimormorphic shell code, optimizing evasive detection conf

Cisco's philosophy in writing signatures for buffer overflow vulnerabilities has always been to generally rely on the length of buffers rather than on the specific content. For instance, with our RPC signatures, we don't look for specific shell code. We measure the length of the call in conjunction with the Program / Procedure numbers. This alleviates the problem of polymorphic shell code. Also, since we perform IP / TCP reassembly, fragmenting the attack will have a negligible effect.

CreatePlease to create content