[Snort-sigs] Feasibility question

Joel Esler (jesler) jesler at ...3865...
Thu Dec 4 18:42:24 EST 2014


No.  You’d get a ton of false positives on that.  We used that for research for awhile, but it was too much.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Dec 4, 2014, at 2:18 PM, James Lay <jlay at ...3266...> wrote:
> 
> Hey All,
> 
> So as I go about reverse engineering here, a common theme is seeing 
> PADDINGXX within exe's....would it be feasible to make a sig to match on 
> executable for this?  Thanks.
> 
> James
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141204/54f4646b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141204/54f4646b/attachment.bin>


More information about the Snort-sigs mailing list