Snort mailing list archives
Re: Experimental Shellcode ?
From: Render-Vue <sales () render-vue com>
Date: Wed, 20 Feb 2002 11:02:42 +1300
Hi Yah Chris, Thanks for the fast and eductaional reply :) Much appreciated Regards from Auckland Chae At 10:54 AM 2/20/02, you wrote:
Render-Vue <sales () render-vue com> writes: > Hi Yah, > > Noticed this one from version 1.8.3 logs > > EXPERIMENTAL SHELLCODE x86 NOOP > 2 209.52.171.15 -> xxx.xxx.64.121 > > I've done a search on google etc but can't find an explaination. Can > anyone enlighten me please A NOOP is a computer instruction to do nothing. They are often used to pad buffer overflow exploits so typically you would look at the full packet data and find the context of the packet and find out if it was something against something neat like a rpc service or something mundane like the middle of an MP3. The rule that set it off looks like: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394; rev:1;) -- Chris Green <cmg () uab edu> A good pun is its own reword.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Render-Vue - <http://render-vue.com> Web Site Hosting - Web Site Design "Letting the world see who you really are(tm)" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Auckland, New Zealand. 1705 Tel:- +64 9 536 6367 Mobile:- 025 291 6894 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Experimental Shellcode ? Render-Vue (Feb 19)
- Re: Experimental Shellcode ? Chris Green (Feb 19)
- Re: Experimental Shellcode ? Render-Vue (Feb 19)
- Re: Experimental Shellcode ? Chris Green (Feb 19)