Re: [Snort-users] SHELLCODE base64 x86 NOOP

[Patrick Mullen <pmullen () sourcefire com>]

Hello!

> Sorry for the confusion. What I am trying to ask if why only these NOP
> opcodes are choosen?
<snip>
> How about others?

Thanks for the great discussion about the NOP rules.  The intent
behind the rules is to detect common forms of simple NOP sleds.
'\x90' is the only true NOP in x86 machine code, but technically any
instruction that does not adversely affect the desired shellcode is an
"effective NOP."  Since we can't possibly detect every single
combination of bytes that works as a NOP for every possible shellcode,
we chose to write signatures for the most common forms -- '\x90', 'A',
'B', 'C', and 'D'.  This strategy has proven to be quite effective in
the field but if you have suggestions on other forms we should look
for I'd welcome the input.


Thanks,

~Patrick
-- 
Patrick Mullen
Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!