[Snort-sigs] Another idea for the preprocessor

Joseph Gama josephgama at ...144...
Tue Aug 10 16:28:11 EDT 2004


Hi again,

I don't know which preprocessor handles the encoding
and I mentioned how some encoded Javascript was not
detected in my previous email. Here is another idea:

To add code to decode the MS encoded scripts.
Like this:
   <SCRIPT LANGUAGE="JScript.Encode">
    <!--//
    //**Start
Encode**#@~^UgAAAA==@#@&P~,PJeb~ZC&l^+.Y,`EO4k/,^W9+Pk4GE^N,4nPVnaY~/^DYZZe"JbI@#@&~P,~JzR
@*@#@&P,PIhMAAA==^#~@</SCRIPT>

Why? All the latest worms have been encoded and the
rules  can't detect the patterns we have already
defined for malware. One space is enought to make the
encoded script totally different and hardcoded rules
based on chunks of encoded script would fail
miserably.
How? There is code online on how to do it but I am not
familiar with the code for the preprocessors and I
don't even know where to add this code.

Does anyone want to work on this project with me?

Any comments?

Peace,

Joseph Gama


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list