Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible FP 10505

From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 20 May 2011 09:10:27 -0600
The rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE
unescape encoded shellcode"; flow:to_client,established;
content:"unescape"; fast_pattern:only;
pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|bl
ock|payload|agent|hspt)/smi";
pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f
]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi";
classtype:shellcode-detect; sid:10505; rev:3;)

 

The hit:

05/20-09:07:31.610475  [**] [1:10505:3] SHELLCODE unescape encoded
shellcode [**] [Classification: Executable code was detected] [Priority:
1] {TCP} 74.125.227.18:80 -> INT.IP:57562

 

The file:

wget http://maps.gstatic.com/intl/en_us/mapfiles/341a/maps2.api/main.js


------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: