[Snort-devel] Polymorphic Shellcode Detection preprocessor

Dragos Ruiu dr at ...40...
Tue Jan 29 19:50:02 EST 2002


Whoa there....

Please do not use this.

It makes a number of mistakes.  Most important of which is
being able to walk off the end of the packet at pkt_data += intel_njunk[junk_index].len-1;
(Woop! Woop! Danger Will Robinson!)

I have been holding off replying on this thread, because I've been noodling around
with a mutate detector algorithm for about a year now ever since K2 presented his
paper at my conference.  The other problems this algorithm has is that it will
false erm... a quite bit :-), and doing all those strncmps will iterate over
every packet altogether too much and chew up a _lot_ of cpu at higher data rates.

I'll save the rest of the analysis and the refinements needed for when I release my 
detector shortly.  But since this code is remotely exploitable, I thought I should 
post a small warning note, before anyone messes up their nice snort...

I would like to thank Steve for his appreciated and well intentioned effort, and wonder 
if he would like to be an alpha tester for my code... 

cheers,
--dr

--
Requisite Commercial Content and Disclaimers:  http://cansecwest.com
CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3 2002
OpenSnort IDS Sensors: http://www.sourcefire.com

On Tue, 29 Jan 2002 14:29:19 -0600
Steve Halligan <agent33 at ...269...> wrote:

> Inspired by Brian's posting of the proof of concept paper about NIDS
> detection of polymorphic shellcode, I went ahead a crufted up a preprocessor
> plugin based on the proof of concept NIDS that the paper provided.
> 
> You can read the paper here:
> http://www.ngsec.com/docs/polymorphic_shellcodes_vs_app_IDSs.PDF
> 
> You can learn about polymorphic shellcode at www.ktwo.ca
> 
> This is pretty much gaurenteed to be a massive eater of cpu, so use at your
> own risk.  I haven't had the chance to test this under heavy load, so I
> don't know (but would like to see) how it behaves.  Please play with it and
> send me feedback.
> 
> I am using the same test that the papers author is, looking for more than X
> number of NOPs or NOP-like bytes in a row.
> 
> To use it:
> 1) plop the 2 attached files in your snort/src/preprocessors/ dir.  
> 2) Edit plugbase.c like this:
>     SetupARPspoof();
>     SetupPolyshell();  <-----add this line
> 
> 3)  Edit plugbase.h like this:
> #include "spp_arpspoof.h"
> #include "spp_polyshell.h"  <----add this line
> 
> 4) edit generators.h like this:
> #define GENERATOR_SPP_POLYSHELL     114                <----this one
> #define     POLYSHELL_TRAFFIC_DETECT              1    <----and this one
> 
> #endif /* __GENERATORS_H__ */
> 
> 4)  Add a line to snort.conf to init it.  The argument sets the number of
> NOPs that need to happen in a row before an alert is generated.  50 is the
> default.
> preprocessor polyshell: 50
> 
> 




More information about the Snort-devel mailing list