Snort mailing list archives
Re: Possible FP 10505
From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 20 May 2011 16:24:54 +0100
This rule's PCRE is horrid: a) unescape is very common so it will be moving onto PCRE extremely frequently. Perhaps when this rule was written obfuscation and unescape wasn't as common in normal traffic as it is now b) the pcre is long with lots of different match possibilities (not necessary a bad thing as I have written ET rules where there is no choice but with such a common content match it will be working through them often. Perhaps it needs looked at to improve as I think a performance improvement could be achieved somehow. You could get rid of 2 of them by having one as shellcode being the content match and the other payload before moving into PCRE. On 20 May 2011 16:10, Lay, James <james.lay () wincofoods com> wrote:
The rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; sid:10505; rev:3;) The hit: 05/20-09:07:31.610475 [**] [1:10505:3] SHELLCODE unescape encoded shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 74.125.227.18:80 -> INT.IP:57562 The file: wget http://maps.gstatic.com/intl/en_us/mapfiles/341a/maps2.api/main.js ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible FP 10505 Lay, James (May 20)
- Re: Possible FP 10505 Kevin Ross (May 20)