fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)?

[Cyrille Bollu <cyrille.bollu () gmail com>]

Hi,

As of today, the "GPL SHELLCODE x86 inc ebx NOOP" rule uses the
fast_pattern:only modifier.

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL
SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

This means that this rule will also trigger on "cccccccccccccccccc" content
(as explained in http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html :
"It is important to know that because the fast pattern matcher is case
agnostic, any match that is marked as *fast_pattern:only;* acts as if it
had the *nocase;* modifier.").

Is it really intended?

I don't know much about shellcodes. But, Google doesn't seem to think that
"ccccccc..." is NOP sled.

At least, it definitivelt doesn't match the signature message; In this
case, this would be more a "ARPL NOOP".

How could I've that corrected?

Best regards,

Cyrille

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!