[Snort-sigs] [Emerging-Sigs] SHELLCODE x86 inc ecx NOOP - for Yahoo

Joel Esler jesler at ...435...
Wed Feb 8 22:17:20 EST 2012


1-999,999 are Sourcefire's SIDs.

Yes, it's off by default.  We've made some changes to the default state of
rules just today.  We'll put more out about this tomorrow in a blog post
when we release the rules.

Joel

On Wednesday, February 8, 2012, waldo kitty <wkitty42 at ...3507...> wrote:
> On 2/8/2012 19:24, Joel Esler wrote:
>> It's a VRT rule. It's an indicator rule. Meaning its meant to used in
>> conjunction with other rules for a more complete picture.
>>
>> It's off by default.
>
> thanks for that, joel! i didn't know if it was off by default or if i had
> already turned it off because of just this type of problem with it...
>
> thanks also for the confirmation that it is a VRT rule... there are times
that i
> tend to see something and if it is in a certain SID range, i automatically
> classify as to those i know are using those ranges...
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!
>

-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120208/9475fdcc/attachment.html>


More information about the Snort-sigs mailing list