Snort mailing list archives
Detecting Packed Executables?
From: "Tommy Cansanay" <toortog () gmail com>
Date: Fri, 18 Jul 2008 18:02:06 -0400
Has anybody successfully created signatures that detect packers? I tried a simple content search where the sniffer sees the packed executable, but Snort does not. Tried several things, which included Hex, pcre, used |03| (DNS search), etc, but no luck. Doing some google searches, PE hunter could possibly do the trick, but it requires re-compiling snort. I was wondering if there was an easier way. Thanks
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Packed Executables? Tommy Cansanay (Jul 18)
- Re: Detecting Packed Executables? Matt Jonkman (Jul 18)