Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Anonymized email re: sigs

From: Dave Aitel <dave () immunityinc com>
Date: Mon, 28 Apr 2008 13:58:43 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

An anonymized message follows with my comments in []'s
- -dave
______________________________________________________________________

Anonymize this if you want to repost - some IPS/IDS canvas sigs:

On Monday 28 April 2008, Dave Aitel wrote:
| > Of course, it breaks the CANVAS license for AV vendors to write
| > signatures for CANVAS, so there won't be any "CANVAS Rootkit"
| > signatures, although we do get picked up by generic signatures for
| > things sometimes.
[editor comment (dave): hmmm]
TippingPoint:
    4933: Canvas: Canvas Shellcode
    5171: Canvas: Canvas Shellcode
    5172: Canvas: Canvas Shellcode

[editor comment: Some of these don't make any sense? Should BABYBOTTLE 
add rand(5) spaces to the front to avoid simple gzip sigs?]
Juniper:
    CANVAS-BABYBOTTLE
    CANVAS-BABYBOTTLE-GZIP
    CANVAS:AVGTCPSRV
    CANVAS:CANVAS-HELIUM
    CANVAS:ESERV
    CANVAS:FEDORA4
    CANVAS:INGRESS
    CANVAS:LINUXSNMP
    CANVAS:MAILENABLE
    CANVAS:NETWORKER-3
    CANVAS:NOVELL2
    CANVAS:TIVOLI3
    CANVAS:WORDMAIL3

[editor comment - these are now removed from VRT]
Snort:
    ./sid-msg.map:10506 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10507 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10508 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10509 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10510 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10511 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10512 || SHELLCODE Canvas shellcode basic encoder
    ./sid-msg.map:10513 || SHELLCODE Canvas shellcode basic encoder




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIFhBTtehAhL0gheoRAkxvAJ9+plM06s5O/l4M7v1L1dhNFQDB6QCePN2n
b8eyXFEF1qRYaJ1QCBGG1TE=
=ivQa
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: