Snort mailing list archives
Possible FP 10505
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 20 May 2011 09:10:27 -0600
The rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|bl ock|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f ]{2}[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; sid:10505; rev:3;) The hit: 05/20-09:07:31.610475 [**] [1:10505:3] SHELLCODE unescape encoded shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 74.125.227.18:80 -> INT.IP:57562 The file: wget http://maps.gstatic.com/intl/en_us/mapfiles/341a/maps2.api/main.js
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible FP 10505 Lay, James (May 20)
- Re: Possible FP 10505 Kevin Ross (May 20)