[Snort-sigs] Another idea for the preprocessor
josephgama at ...144...
Tue Aug 10 16:28:11 EDT 2004
I don't know which preprocessor handles the encoding
detected in my previous email. Here is another idea:
To add code to decode the MS encoded scripts.
Why? All the latest worms have been encoded and the
rules can't detect the patterns we have already
defined for malware. One space is enought to make the
encoded script totally different and hardcoded rules
based on chunks of encoded script would fail
How? There is code online on how to do it but I am not
familiar with the code for the preprocessors and I
don't even know where to add this code.
Does anyone want to work on this project with me?
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
More information about the Snort-sigs