IDS mailing list archives
RE: Polymorphic Shellcode detection
From: "Aleksander P. Czarnowski" <alekc () avet com pl>
Date: Wed, 7 May 2003 00:10:01 +0200
Hi,
AFAIK Prelude's implementation is not documented (well, you have the source ;)), but IIRC works around the same concept
Actually fnord preprocessor source code from snort 1.9.x is quite simple to understand - I would advise to take a look at it. However to understand some issues regarding polymorphic shellcode detection one needs to understand how specific opcode streams work on different architectures. There is also a problem of how assemblers translate mnemonic into opcodes... A good example for i386 architecture is trying to assemble an xchg ax,ax and later disassembling it ;-). Also some optimization techniques changes output code. Again in i386 code some lea opcodes can be changed to mov etc... Just my 2 cents, Best Regards Aleksander Czarnowski AVET INS ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Polymorphic Shellcode detection ulfabodo (May 06)
- Re: Polymorphic Shellcode detection Randy Taylor (May 06)
- Re: Polymorphic Shellcode detection Krzysztof Zaraska (May 06)
- RE: Polymorphic Shellcode detection Aleksander P. Czarnowski (May 06)
- Re: Polymorphic Shellcode detection Jeremy Bennett (May 06)
- Re: Polymorphic Shellcode detection zheng (May 08)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- Re: Polymorphic Shellcode detection Robert Graham (May 12)
- Re: Polymorphic Shellcode detection sam stover (May 12)
- <Possible follow-ups>
- Re: Polymorphic Shellcode detection David Barroso (May 06)