[Snort-sigs] [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo
jesler at ...435...
Wed Feb 8 19:24:43 EST 2012
It's a VRT rule. It's an indicator rule. Meaning its meant to used in
conjunction with other rules for a more complete picture.
It's off by default.
On Wednesday, February 8, 2012, Balasubramaniam Natarajan <
bala150985 at ...2420...> wrote:
> Thanks wkitty :-)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
classtype:shellcode-detect; sid:1394; rev:12;)
> On Thu, Feb 9, 2012 at 4:05 AM, waldo kitty <wkitty42 at ...3507...>
>> On 2/8/2012 17:17, Balasubramaniam Natarajan wrote:
>> > When ever I login to Yahoomail and log out I see a bunch of Shellcode
>> > getting triggered. Is this normal ? When I look into packet Payload
>> > I see a bunch of A's I just want to know if others are seeing the same
>> if i'm reading the html stuff you posted correctly, the rule being
>> 1:1394... that is a VRT rule and it has no limitations on it... any
>> "$EXTERNAL_NET any" to "$HOME_NET any" string of 31 capital 'A'
>> set it off...
>> it is a very poor rule that does not limit itself on where it is looking
>> it is looking for... it is disabled over here...
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Balasubramaniam Natarajan
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs