[Snort-sigs] [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo

Joel Esler jesler at ...435...
Wed Feb 8 19:24:43 EST 2012


It's a VRT rule. It's an indicator rule. Meaning its meant to used in
conjunction with other rules for a more complete picture.

It's off by default.

On Wednesday, February 8, 2012, Balasubramaniam Natarajan <
bala150985 at ...2420...> wrote:
> Thanks wkitty :-)
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
classtype:shellcode-detect; sid:1394; rev:12;)
>
>
> On Thu, Feb 9, 2012 at 4:05 AM, waldo kitty <wkitty42 at ...3507...>
wrote:
>>
>> On 2/8/2012 17:17, Balasubramaniam Natarajan wrote:
>> > When ever I login to Yahoomail and log out I see a bunch of Shellcode
signature
>> > getting triggered. Is this normal ?  When I look into packet Payload
sure enough
>> > I see a bunch of A's I just want to know if others are seeing the same
?
>>
>> if i'm reading the html stuff you posted correctly, the rule being
triggered is
>> 1:1394... that is a VRT rule and it has no limitations on it... any
inbound from
>> "$EXTERNAL_NET any" to "$HOME_NET any" string of 31 capital 'A'
characters will
>> set it off...
>>
>> it is a very poor rule that does not limit itself on where it is looking
or what
>> it is looking for... it is disabled over here...
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!
>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
>

-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120208/35b375f6/attachment.html>


More information about the Snort-sigs mailing list