[Snort-devel] Polymorphic Shellcode Detection preprocessor

Imran William Smith iwsmith at ...1111...
Tue Jan 29 16:51:02 EST 2002

Good work Steve,

How did do you define a 'nop like byte'?
Which architecture are you testing for - Intel 32 bit?
Did you include 'decrement increment' and similar tricks as 'nop'?
Or is it easy to add a list of extra combinations?  Presumably you
didn't go with the [paper's one idea of putting a complete virtual machine
inside the detector...

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message -----
From: "Steve Halligan" <agent33 at ...269...>
To: "Snort-Devel (E-mail)" <snort-devel at lists.sourceforge.net>
Sent: Wednesday, January 30, 2002 4:29 AM
Subject: [Snort-devel] Polymorphic Shellcode Detection preprocessor

> Inspired by Brian's posting of the proof of concept paper about NIDS
> detection of polymorphic shellcode, I went ahead a crufted up a
> plugin based on the proof of concept NIDS that the paper provided.
> You can read the paper here:
> http://www.ngsec.com/docs/polymorphic_shellcodes_vs_app_IDSs.PDF
> You can learn about polymorphic shellcode at www.ktwo.ca
> This is pretty much gaurenteed to be a massive eater of cpu, so use at
> own risk.  I haven't had the chance to test this under heavy load, so I
> don't know (but would like to see) how it behaves.  Please play with it
> send me feedback.
> I am using the same test that the papers author is, looking for more than
> number of NOPs or NOP-like bytes in a row.
> To use it:
> 1) plop the 2 attached files in your snort/src/preprocessors/ dir.
> 2) Edit plugbase.c like this:
>     SetupARPspoof();
>     SetupPolyshell();  <-----add this line
> 3)  Edit plugbase.h like this:
> #include "spp_arpspoof.h"
> #include "spp_polyshell.h"  <----add this line
> 4) edit generators.h like this:
> #define GENERATOR_SPP_POLYSHELL     114                <----this one
> #define     POLYSHELL_TRAFFIC_DETECT              1    <----and this one
> #endif /* __GENERATORS_H__ */
> 4)  Add a line to snort.conf to init it.  The argument sets the number of
> NOPs that need to happen in a row before an alert is generated.  50 is the
> default.
> preprocessor polyshell: 50

More information about the Snort-devel mailing list