Re: Feasibility question

["Joel Esler (jesler)" <jesler () cisco com>]

No.  You’d get a ton of false positives on that.  We used that for research for awhile, but it was too much.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Dec 4, 2014, at 2:18 PM, James Lay <jlay () slave-tothe-box net> wrote:
>
> Hey All,
>
> So as I go about reverse engineering here, a common theme is seeing 
> PADDINGXX within exe's....would it be feasible to make a sig to match on 
> executable for this?  Thanks.
>
> James
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!