Detecting Packed Executables?

["Tommy Cansanay" <toortog () gmail com>]

Has anybody successfully created signatures that detect packers?

I tried a simple content search where the sniffer sees the packed
executable, but Snort does not.  Tried several things, which included Hex,
pcre, used |03| (DNS search), etc, but no luck.
Doing some google searches, PE hunter could possibly do the trick, but it
requires re-compiling snort. I was wondering if there was an easier way.

Thanks

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users