r2 - 23 Apr 2007 - 19:27:27 - JacobKitchelYou are here: TWiki > 
Main Web > WebSearch > NewSignatureIdeas
Main Web > WebSearch > NewSignatureIdeasNew Signature Ideas
This is a sort of TODO list of ideas that have been presented, but work needs to be done. If one of these sparks your interest please feel free to work on it. If you expect you'll produce something please put your name in there so others that may want to help can contact you. If you do put your name in there, that's no obligation to complete the idea, just a help.PE Header signatures
Look up all the possible variations and structure of a PE header so we can make signatures to catch them in data streams. Streams like HTTP, IM, tftp, etc would be useful. Especially in http cases where the file is reported to be a jpeg, etc. There are some existing similar sigs that need to be expanded. 2001683 2001684 2001685 2000419 2000423 2000424 2000425 2000426 2000427 2003184 The following search for MZ will show most of the existing signatures http://doc.bleedingthreats.net/bin/view/Main/WebSearch?search=%22MZ%22Web based javascript/iframe badness
Here are my ideas based on hits I see in IDS that are almost rock solid for catching bad stuff (tm) that is web based: -Javascript NOP sled (%u9090%u9090) -Javascript heap spray (some sort of sig based on some generic parts of the heap spray method) -script or iframe tag prepended to an html or other www served file (i.e. they show up before the html tag that starts the page) Various payloads exist as a basis for generating these signatures. Thoughts? -JacobNext Idea?
-- MattJonkman - 19 Apr 2007
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- CVS View of All Rules
- WebRss Feed
- BleedingFAQ
 |
|
