Dailydave mailing list archives
Anonymized email re: sigs
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 28 Apr 2008 13:58:43 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An anonymized message follows with my comments in []'s - -dave ______________________________________________________________________ Anonymize this if you want to repost - some IPS/IDS canvas sigs: On Monday 28 April 2008, Dave Aitel wrote: | > Of course, it breaks the CANVAS license for AV vendors to write | > signatures for CANVAS, so there won't be any "CANVAS Rootkit" | > signatures, although we do get picked up by generic signatures for | > things sometimes. [editor comment (dave): hmmm] TippingPoint: 4933: Canvas: Canvas Shellcode 5171: Canvas: Canvas Shellcode 5172: Canvas: Canvas Shellcode [editor comment: Some of these don't make any sense? Should BABYBOTTLE add rand(5) spaces to the front to avoid simple gzip sigs?] Juniper: CANVAS-BABYBOTTLE CANVAS-BABYBOTTLE-GZIP CANVAS:AVGTCPSRV CANVAS:CANVAS-HELIUM CANVAS:ESERV CANVAS:FEDORA4 CANVAS:INGRESS CANVAS:LINUXSNMP CANVAS:MAILENABLE CANVAS:NETWORKER-3 CANVAS:NOVELL2 CANVAS:TIVOLI3 CANVAS:WORDMAIL3 [editor comment - these are now removed from VRT] Snort: ./sid-msg.map:10506 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10507 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10508 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10509 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10510 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10511 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10512 || SHELLCODE Canvas shellcode basic encoder ./sid-msg.map:10513 || SHELLCODE Canvas shellcode basic encoder -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFhBTtehAhL0gheoRAkxvAJ9+plM06s5O/l4M7v1L1dhNFQDB6QCePN2n b8eyXFEF1qRYaJ1QCBGG1TE= =ivQa -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anonymized email re: sigs Dave Aitel (Apr 28)