Snort mailing list archives
Re: [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 8 Feb 2012 19:24:43 -0500
It's a VRT rule. It's an indicator rule. Meaning its meant to used in conjunction with other rules for a more complete picture. It's off by default. On Wednesday, February 8, 2012, Balasubramaniam Natarajan < bala150985 () gmail com> wrote:
Thanks wkitty :-) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; classtype:shellcode-detect; sid:1394; rev:12;)
On Thu, Feb 9, 2012 at 4:05 AM, waldo kitty <wkitty42 () windstream net>
wrote:
On 2/8/2012 17:17, Balasubramaniam Natarajan wrote:When ever I login to Yahoomail and log out I see a bunch of Shellcode
signature
getting triggered. Is this normal ? When I look into packet Payload
sure enough
I see a bunch of A's I just want to know if others are seeing the same
?
if i'm reading the html stuff you posted correctly, the rule being
triggered is
1:1394... that is a VRT rule and it has no limitations on it... any
inbound from
"$EXTERNAL_NET any" to "$HOME_NET any" string of 31 capital 'A'
characters will
set it off... it is a very poor rule that does not limit itself on where it is looking
or what
it is looking for... it is disabled over here... _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!
-- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo Joel Esler (Feb 08)
- Message not available
- Re: [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo Joel Esler (Feb 08)
- Message not available