Snort mailing list archives
fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)?
From: Cyrille Bollu <cyrille.bollu () gmail com>
Date: Tue, 14 Jan 2014 16:08:38 +0100
Hi, As of today, the "GPL SHELLCODE x86 inc ebx NOOP" rule uses the fast_pattern:only modifier. alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;) This means that this rule will also trigger on "cccccccccccccccccc" content (as explained in http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html : "It is important to know that because the fast pattern matcher is case agnostic, any match that is marked as *fast_pattern:only;* acts as if it had the *nocase;* modifier."). Is it really intended? I don't know much about shellcodes. But, Google doesn't seem to think that "ccccccc..." is NOP sled. At least, it definitivelt doesn't match the signature message; In this case, this would be more a "ARPL NOOP". How could I've that corrected? Best regards, Cyrille
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)? Cyrille Bollu (Jan 14)