Re: Experimental Shellcode ?

[Render-Vue <sales () render-vue com>]

Hi Yah Chris,

Thanks for the fast and eductaional reply :)

Much appreciated

Regards from Auckland

Chae

At 10:54 AM 2/20/02, you wrote:
> Render-Vue <sales () render-vue com> writes:
>
> > Hi Yah,
> >
> > Noticed this one from version 1.8.3 logs
> >
> > EXPERIMENTAL SHELLCODE x86 NOOP
> > 2 209.52.171.15 -> xxx.xxx.64.121
> >
> > I've done a search on google etc but can't find an explaination. Can
> > anyone enlighten me please
>
>
> A NOOP is a computer instruction to do nothing.   They are often used
> to pad buffer overflow exploits so typically you would look at the
> full packet data and find the context of the packet and find out if it
> was something against something neat like a rpc service or something
> mundane like the middle of an MP3.
>
> The rule that set it off looks like:
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
> SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61
> 61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394;
> rev:1;)
> --
> Chris Green <cmg () uab edu>
> A good pun is its own reword.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Render-Vue - <http://render-vue.com>
Web Site Hosting - Web Site Design
"Letting the world see who you really are(tm)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Auckland,
New Zealand. 1705
Tel:- +64 9 536 6367
Mobile:- 025 291 6894


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users