[Snort-sigs] Newbie question on traffic

Brian bmc at ...95...
Fri Nov 21 11:43:02 EST 2003


On Wed, Nov 19, 2003 at 01:14:09PM -0600, William_Metcalf at ...1445... wrote:
> Is there any easy way to convert shellcode from an exploit to a sig
> for snort.  I just want to make sure that I'm correct in assuming
> that something like 
> 
> \xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99 
> 
> should look like this in a packet dump
> 
> eb 19 5e 31 c9 81 e9 a6 ff ff ff 81 36 99 99 99 
> 
> Is this correct???????

Uh, depends on the exploit.  You probably want to use the following
snippet in your rule.

    content:"|eb 19 5e 31 c9 81 e9 a6 ff ff ff 81 36 99 99 99|";

-b




More information about the Snort-sigs mailing list