Well we pretty much all know that Intrusion Detection Systems (IDS) are a security program based on signatures. These signatures can be ASCII or HEX patterns, and ports, amongst other fields. Well while an IDS will not catch everything, especially 0 day, you can still try to catch the hacker who dropped a 0 day on you. How you ask??? Well most hacks have a predictable end state ie: remote code execution via a command shell or similar type strategy. Well the trick is to then build signatures to catch such outbound command sessions. Yep, that means stuff like c:’ and c:’windows’system32 and the such. That plus the xp_cmdshell which could be the result of an SQL hack. These are some of the obvious ones to look for. What takes time is to look for the not so obvious signs of outbound connectivity
Technorati Tags: Command shell, Remote code execution, Intrusion Detection System, IDS