Re: A Neural Network to detect polymorphic shellcodes
- From: "Mina G" <mimanium@xxxxxxxxxxx>
- Date: Wed, 26 Jul 2006 08:28:29 +0000
Hi,
A simpler strategy is to look for distinguishing features of the mutator.
I wrote such a preprocessor to detect mutated NOP sleds for snort a
while back. Search for "spp_fnord.c" in bugtraq archives and you
should find it.
I know the preprocessor. the probleme is its false posetive rate. I have not teted it but I read a lot about it.
I geuss the false posetive rate could be decreased if the fix threshould of the NOP sled to a higher value. I am not sure but I remember thatr I read that linux shellcode have generally a big NOP zone (grater than 100 bytes)...is this true? (I focus on detecting Linux polymorphic worms)
_________________________________________________________________
MSN Messenger: appels gratuits de PC à PC ! http://www.msn.fr/newhotmail/Default.asp?Ath=f
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
- References:
- Re: A Neural Network to detect polymorphic shellcodes
- From: Dragos Ruiu
- Re: A Neural Network to detect polymorphic shellcodes
- Prev by Date: RE: A Neural Network to detect polymorphic shellcodes
- Next by Date: Re: icsa ips testing vulnerability set
- Previous by thread: Re: A Neural Network to detect polymorphic shellcodes
- Next by thread: RE: A Neural Network to detect polymorphic shellcodes
- Index(es):
