[Snort-devel] Polymorphic Shellcode Detection preprocessor

Dragos Ruiu dr at ...40...
Tue Jan 29 19:50:02 EST 2002

Whoa there....

Please do not use this.

It makes a number of mistakes.  Most important of which is
being able to walk off the end of the packet at pkt_data += intel_njunk[junk_index].len-1;
(Woop! Woop! Danger Will Robinson!)

I have been holding off replying on this thread, because I've been noodling around
with a mutate detector algorithm for about a year now ever since K2 presented his
paper at my conference.  The other problems this algorithm has is that it will
false erm... a quite bit :-), and doing all those strncmps will iterate over
every packet altogether too much and chew up a _lot_ of cpu at higher data rates.

I'll save the rest of the analysis and the refinements needed for when I release my 
detector shortly.  But since this code is remotely exploitable, I thought I should 
post a small warning note, before anyone messes up their nice snort...

I would like to thank Steve for his appreciated and well intentioned effort, and wonder 
if he would like to be an alpha tester for my code... 


Requisite Commercial Content and Disclaimers:  http://cansecwest.com
CanSecWest Network Security Training Conference - Vancouver B.C. - May 1-3 2002
OpenSnort IDS Sensors: http://www.sourcefire.com

On Tue, 29 Jan 2002 14:29:19 -0600
Steve Halligan <agent33 at ...269...> wrote:

> Inspired by Brian's posting of the proof of concept paper about NIDS
> detection of polymorphic shellcode, I went ahead a crufted up a preprocessor
> plugin based on the proof of concept NIDS that the paper provided.
> You can read the paper here:
> http://www.ngsec.com/docs/polymorphic_shellcodes_vs_app_IDSs.PDF
> You can learn about polymorphic shellcode at www.ktwo.ca
> This is pretty much gaurenteed to be a massive eater of cpu, so use at your
> own risk.  I haven't had the chance to test this under heavy load, so I
> don't know (but would like to see) how it behaves.  Please play with it and
> send me feedback.
> I am using the same test that the papers author is, looking for more than X
> number of NOPs or NOP-like bytes in a row.
> To use it:
> 1) plop the 2 attached files in your snort/src/preprocessors/ dir.  
> 2) Edit plugbase.c like this:
>     SetupARPspoof();
>     SetupPolyshell();  <-----add this line
> 3)  Edit plugbase.h like this:
> #include "spp_arpspoof.h"
> #include "spp_polyshell.h"  <----add this line
> 4) edit generators.h like this:
> #define GENERATOR_SPP_POLYSHELL     114                <----this one
> #define     POLYSHELL_TRAFFIC_DETECT              1    <----and this one
> #endif /* __GENERATORS_H__ */
> 4)  Add a line to snort.conf to init it.  The argument sets the number of
> NOPs that need to happen in a row before an alert is generated.  50 is the
> default.
> preprocessor polyshell: 50

More information about the Snort-devel mailing list