Re: A Neural Network to detect polymorphic shellcodes


A simpler strategy is to look for distinguishing features of the mutator.
I wrote such a preprocessor to detect mutated NOP sleds for snort a
while back. Search for "spp_fnord.c" in bugtraq archives and you
should find it.

I know the preprocessor. the probleme is its false posetive rate. I have not teted it but I read a lot about it.

I geuss the false posetive rate could be decreased if the fix threshould of the NOP sled to a higher value. I am not sure but I remember thatr I read that linux shellcode have generally a big NOP zone (grater than 100 bytes) this true? (I focus on detecting Linux polymorphic worms)

MSN Messenger: appels gratuits de PC à PC !

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.