Snort mailing list archives
Re: [Snort-users] SHELLCODE base64 x86 NOOP
From: yew chuan Ong <yewchuan_23 () yahoo com>
Date: Wed, 6 Jun 2012 02:51:46 -0700 (PDT)
Hi Eric, Thanks for your info. Sorry for the confusion. What I am trying to ask if why only these NOP opcodes are choosen? From what I found, the current sig only look for these: inc ecx - A - \x41 inc edx - B - \x42 inc ebx - C - \x43 inc esp - D - \x44 How about others? Regards YC ________________________________ From: Eric G <eric () nixwizard net> To: Snort Users <snort-users () lists sourceforge net> Sent: Wednesday, June 6, 2012 11:30 AM Subject: Re: [Snort-users] [Snort-sigs] SHELLCODE base64 x86 NOOP On Jun 5, 2012 11:05 PM, "yew chuan Ong" <yewchuan_23 () yahoo com> wrote:
Hi All, Understand this sig is to tackle the possibility of no-op sled. But, why the content is just limited to the following repeating characters? Any ideas? "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB" "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND" "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ" "RERERERERERERERERERERERERERERERER" Thanks! Regards YC
Forgive me if I'm mistaken, but that's because those are what the x86 NOP opcodes look like on the wire.... Snort sees a bunch of NOPs chained together pass by the sensor, and this rule fires off because the traffic looks similar to malicious traffic that relies on using x86 NOP opcodes to control where malicious shellcode can be injected onto the stack. "The NOP allows an attacker to fill an address space with a large number of NOPs followed by his or her code of choice. This allows "sledding" into the attackers shellcode." -from http://www.snort.org/search/sid/648 Mayne I'm not understanding your quesyion... are you saying that there other NOP opcodes that should be included? Or are you unsure of why there are repeating patterns of text in the rule? -- Eric ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 05)
- Re: [Snort-sigs] SHELLCODE base64 x86 NOOP Eric G (Jun 05)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 06)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP Patrick Mullen (Jun 06)
- Re: [Snort-users] SHELLCODE base64 x86 NOOP yew chuan Ong (Jun 06)
- Re: [Snort-sigs] SHELLCODE base64 x86 NOOP Eric G (Jun 05)