[Snort-sigs] Shellocode x86 inc ebx signatures

Ian Macdonald secsnortsigs at ...644...
Fri Aug 9 08:07:06 EDT 2002


I am seeing a lot of alerts being triggered by the Shellcode x86 inc ebx
signature. I see a lot of the packects have JFIF, which I think is the
identifier for a type of JPEG. In order to reduce false positives would it
make sense to put a (not "JFIF") connect match in this signature. Or would
this open up the possibility of someone doing a buffer overflow that has
JFIF in the string so it would be able to by pass the IDS?

SHELLCODE x86 inc ebx NOOP

D8 FF E0 00 10 4A 46 49 46 00 01 02 00 00 64 00   .....JFIF.....d.
64 00 00 FF EC 00 11 44 75 63 6B 79 00 01 00 04   d......Ducky....
00 00 00 0D 00 00 FF EE 00 0E 41 64 6F 62 65 00   .........Adobe.
64 C0 00 00 00 01 FF DB 00 84 00 13 10 10 18 11   d...............
18 26 17 17 26 30 25 1E 25 30 2C 25 24 24 25 2C   .&..&0%.%0,%$$%,
3B 33 33 33 33 33 3B 43 3E 3E 3E 3E 3E 3E 43 43   ;33333;C>>>>>>CC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 01 14 18 18 1F   CCCCCCCCCCC.....
1B 1F 25 18 18 25 34 25 1F 25 34 43 34 29 29 34   ..%..%4%.%4C4))4
43 43 43 40 33 40 43 43 43 43 43 43 43 43 43 43   CCC at ...742...@CCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
43 43 43 43 43 43 43 43 43 43 43 43 FF C0 00 11   CCCCCCCCCCCC....
08 00 86 00 D2 03 01 22 00 02 11 01 03 11 01 FF   ......."........





More information about the Snort-sigs mailing list