RE: Polymorphic Shellcode detection

["Aleksander P. Czarnowski" <alekc () avet com pl>]

Hi,

> AFAIK Prelude's implementation is not documented (well, you have the
> source ;)), but IIRC works around the same concept 

Actually fnord preprocessor source code from snort 1.9.x is quite simple to understand - I would advise to take a look 
at it. However to understand some issues regarding polymorphic shellcode detection one needs to understand how specific 
opcode streams work on different architectures. There is also a problem of how assemblers translate mnemonic into 
opcodes... A good example for i386 architecture is trying to assemble an xchg ax,ax and later disassembling it ;-). 
Also some optimization techniques changes output code. Again in i386 code some lea opcodes can be changed to mov etc...
Just my 2 cents,
Best Regards
Aleksander Czarnowski
AVET INS


-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------