[Snort-sigs] Shell code Rules 653 and 2314

Scott Zawalski scott.zawalski at ...1089...
Tue Jul 13 08:19:13 EDT 2004


Is it not true that anything 2314 matches 653 will match as well, making 
2314 superfluous? Or if I am wrong could someone please explain a 
situation, on our network they both trip the exact same amount.


alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE 
x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 
00 90 00|"; classtype:shellcode-detect; sid:2314; rev:1;)
.

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE 
x86 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; 
classtype:shellcode-detect; sid:653; rev:8;)



Scott





More information about the Snort-sigs mailing list