Why Signature Detection Fails

The problem with almost any intrusion detection system are unknown attacks or unknown vectors. Likewise anti-virus software has difficulty protecting against all of it. There are many tricks to fool intrusion detection or AV software.

One of them is generating false alarms or increase the noise on the line. Another technique is to make a reverse (shell) connection to a webserver or client. This can be of use to bypass certain firewall rules or intrusion detection mechanisms.

Intrusion detection or firewall rules can detect obfuscated shellcode, but this isn't perfect. There are plenty of ways to obfuscate shellcode or other attack vectors. In fact there are so many ways, that it is impossible to detect them all.

Hexcode can be translated to unicode giving it a trusted look and feel, ip addresses can be presented in a myriad of ways by uses octal dotted, decimal, (d)word, or even hexadecimal dotted conversion.