Is a Network Intrusion Detection System (NIDS) (pattern matching, protocol analysis or behavior analysis) able to detect buffer overflow in the network traffic?
Asked
Active
Viewed 281 times
1 Answers
2
An NIDS would not be able to detect a buffer overflow for a couple of reasons.
- It's impossible to know what the target platform for the payload is; strictly based off of network traffic.
- Exploits at the network level most likely target some application or daemon on the other side. The buffer overflow is likely targeting a specific vulnerability, and this is also not possible to know by strictly looking at network traffic.
Lets assume that you're only looking for x86 targeted applications. The IDS would need to disassemble the bytes (assumed to be an x86 payload), and automatically look for buffer overflow looking behavior. This is assuming that the payload is not encrypted or compressed. In which case this process is all for nothing.
Even with those assumptions the amount of time to perform them that type of analysis on every packet entering a system would grind the system to a halt. It's just not a feasible task to detect specific attacks that a malicious payload might perform. Flagging malicious packets and logging those packets is the best it can do. And later analysis can be performed either by hand, or by other tools.
RoraΖ
- 12,317
- 4
- 51
- 83