[Snort-devel] Polymorphic Shellcode Detection preprocessor

Steve Halligan agent33 at ...269...
Tue Jan 29 12:30:03 EST 2002

Inspired by Brian's posting of the proof of concept paper about NIDS
detection of polymorphic shellcode, I went ahead a crufted up a preprocessor
plugin based on the proof of concept NIDS that the paper provided.

You can read the paper here:

You can learn about polymorphic shellcode at www.ktwo.ca

This is pretty much gaurenteed to be a massive eater of cpu, so use at your
own risk.  I haven't had the chance to test this under heavy load, so I
don't know (but would like to see) how it behaves.  Please play with it and
send me feedback.

I am using the same test that the papers author is, looking for more than X
number of NOPs or NOP-like bytes in a row.

To use it:
1) plop the 2 attached files in your snort/src/preprocessors/ dir.  
2) Edit plugbase.c like this:
    SetupPolyshell();  <-----add this line

3)  Edit plugbase.h like this:
#include "spp_arpspoof.h"
#include "spp_polyshell.h"  <----add this line

4) edit generators.h like this:
#define GENERATOR_SPP_POLYSHELL     114                <----this one
#define     POLYSHELL_TRAFFIC_DETECT              1    <----and this one

#endif /* __GENERATORS_H__ */

4)  Add a line to snort.conf to init it.  The argument sets the number of
NOPs that need to happen in a row before an alert is generated.  50 is the
preprocessor polyshell: 50

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_polyshell.c
Type: application/octet-stream
Size: 11985 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020129/8a1e7e01/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_polyshell.h
Type: application/octet-stream
Size: 679 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020129/8a1e7e01/attachment-0001.obj>

More information about the Snort-devel mailing list