Snort mailing list archives
Re: Detecting Packed Executables?
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 18 Jul 2008 18:07:17 -0400
We've got sigs for Themida, WinUPack, FSG and RLPack in the emerging ruleset. There are many more we could sig, but the research hasn't been done yet. These that we have are very effective. If you're interested in helping out on the research I'd happily work with you. Matt Tommy Cansanay wrote:
Has anybody successfully created signatures that detect packers? I tried a simple content search where the sniffer sees the packed executable, but Snort does not. Tried several things, which included Hex, pcre, used |03| (DNS search), etc, but no luck. Doing some google searches, PE hunter could possibly do the trick, but it requires re-compiling snort. I was wondering if there was an easier way. Thanks ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Packed Executables? Tommy Cansanay (Jul 18)
- Re: Detecting Packed Executables? Matt Jonkman (Jul 18)