Re: [Snort-users] SHELLCODE base64 x86 NOOP

[yew chuan Ong <yewchuan_23 () yahoo com>]

Hi Eric,

Thanks for your info.

Sorry for the confusion. What I am trying to ask if why only these NOP opcodes are choosen?

From what I found, the current sig only look for these:
inc ecx - A - \x41      
inc edx - B - \x42      
inc ebx - C - \x43      
inc esp - D - \x44   

How about others?


Regards
YC

________________________________
 From: Eric G <eric () nixwizard net>
To: Snort Users <snort-users () lists sourceforge net> 
Sent: Wednesday, June 6, 2012 11:30 AM
Subject: Re: [Snort-users] [Snort-sigs] SHELLCODE base64 x86 NOOP
 

On Jun 5, 2012 11:05 PM, "yew chuan Ong" <yewchuan_23 () yahoo com> wrote:
> Hi All,
>
> Understand this sig is to tackle the possibility of no-op sled.
> But, why the content is just limited to the following repeating characters? Any ideas?
>
> "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"
> "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
> "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"
> "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"
> "RERERERERERERERERERERERERERERERER"
>
> Thanks!
>
> Regards
> YC
Forgive me if I'm mistaken, but that's because those are what the x86 NOP opcodes look like on the wire.... Snort sees 
a bunch of NOPs chained together pass by the sensor, and this rule fires off because the traffic looks similar to 
malicious traffic that relies on using x86 NOP opcodes to control where malicious shellcode can be injected onto the 
stack.
"The NOP allows an attacker to fill an address space with a large number of NOPs followed by his or her code of choice. 
This allows "sledding" into the attackers shellcode."
-from http://www.snort.org/search/sid/648
Mayne I'm not understanding your quesyion... are you saying that there other NOP opcodes that should be included? Or 
are you unsure of why there are repeating patterns of text in the rule?
--
Eric
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!