[Snort-devel] Polymorphic Shellcode Detection preprocessor

Steve Halligan agent33 at ...269...
Wed Jan 30 10:13:05 EST 2002


I believe that this is fixed now, I realize that Dragos will probably come
up with a much better preprocessor, but does anyone feel like humoring me
and checking this new version out?

Again, to stress, do not use this on production machines.  It is throughly
ALPHA, and probably will bogged down alot under heavy load.

-steve

 
> > It makes a number of mistakes.  Most important of which is
> > being able to walk off the end of the packet at pkt_data += 
> > intel_njunk[junk_index].len-1;
> > (Woop! Woop! Danger Will Robinson!)
> > 
> Whoops, that is what I get for porting someone elses code 
> without auditing
> it carefully, sorry :(.  Even though the plugin Dragos is 
> working on is
> probably better, and, as I think I mentioned quite a few 
> times, mine will
> eat cpu at high data rates, I am gonna fix it, just for the 
> mental excerise.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_polyshell.c
Type: application/octet-stream
Size: 12410 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020130/e9c5a0d0/attachment.obj>


More information about the Snort-devel mailing list