Snort mailing list archives
Re: [Snort-users] SHELLCODE base64 x86 NOOP
From: Patrick Mullen <pmullen () sourcefire com>
Date: Wed, 6 Jun 2012 09:58:58 -0400
Hello!
Sorry for the confusion. What I am trying to ask if why only these NOP opcodes are choosen?
<snip>
How about others?
Thanks for the great discussion about the NOP rules. The intent behind the rules is to detect common forms of simple NOP sleds. '\x90' is the only true NOP in x86 machine code, but technically any instruction that does not adversely affect the desired shellcode is an "effective NOP." Since we can't possibly detect every single combination of bytes that works as a NOP for every possible shellcode, we chose to write signatures for the most common forms -- '\x90', 'A', 'B', 'C', and 'D'. This strategy has proven to be quite effective in the field but if you have suggestions on other forms we should look for I'd welcome the input. Thanks, ~Patrick -- Patrick Mullen Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 05)
- Re: [Snort-sigs] SHELLCODE base64 x86 NOOP Eric G (Jun 05)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 06)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP Patrick Mullen (Jun 06)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 06)
- Re: [Snort-sigs] SHELLCODE base64 x86 NOOP Eric G (Jun 05)