[Snort-devel] Polymorphic Shellcode Detection preprocessor

Steve Halligan agent33 at ...269...
Tue Jan 29 17:02:17 EST 2002

> Good work Steve,


> How did do you define a 'nop like byte'?
> Which architecture are you testing for - Intel 32 bit?

Yup, but others could be added easily (at much cpu expense I might add)

> Did you include 'decrement increment' and similar tricks as 'nop'?
The list of "nops" is stolen from ADMmutate, K2 has "uncovered" 76 different
ways to say "nops" with an op code.

> Or is it easy to add a list of extra combinations?  Presumably you
> didn't go with the [paper's one idea of putting a complete 
> virtual machine
> inside the detector...
Easy to add/change the combos, just edit the junk struct. 
I am not doing the virtual machine idea.  I am counting nops and nop-like op
The virtual machine idea may work, but would be better suited to a
application IDS.


More information about the Snort-devel mailing list