Hi,
A simpler strategy is to look for distinguishing features of the mutator.
I wrote such a preprocessor to detect mutated NOP sleds for snort a
while back. Search for "spp_fnord.c" in bugtraq archives and you
should find it.
I know the preprocessor. the probleme is its false posetive rate. I have not
teted it but I read a lot about it.
I geuss the false posetive rate could be decreased if the fix threshould of
the NOP sled to a higher value. I am not sure but I remember thatr I read
that linux shellcode have generally a big NOP zone (grater than 100
bytes)...is this true? (I focus on detecting Linux polymorphic worms)
_________________________________________________________________
MSN Messenger: appels gratuits de PC à PC !
http://www.msn.fr/newhotmail/Default.asp?Ath=f
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
