[Snort-sigs] Feasibility question

James Lay jlay at ...3266...
Thu Dec 4 18:46:12 EST 2014


 

On 2014-12-04 04:42 PM, Joel Esler (jesler) wrote: 

> No. You'd get
a ton of false positives on that. We used that for research for awhile,
but it was too much. 
> --
> JOEL ESLER
> Open Source Manager
> Threat
Intelligence Team Lead
> Talos 
> 
>> On Dec 4, 2014, at 2:18 PM, James
Lay <jlay at ...3266... [1]> wrote: 
>> 
>> Hey All,
>> 
>> So as
I go about reverse engineering here, a common theme is seeing 
>>
PADDINGXX within exe's....would it be feasible to make a sig to match on

>> executable for this? Thanks.
>> 
>> James
>> 
>>
------------------------------------------------------------------------------
>>
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>
from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App
Integration & more
>> Get technology previously reserved for
billion-dollar corporations, FREE
>>
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
[2]
>> _______________________________________________
>> Snort-sigs
mailing list
>> Snort-sigs at lists.sourceforge.net
>>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
http://www.snort.org
>> 
>> Please visit http://blog.snort.org for the
latest news about Snort!

Thanks Joel...glad I asked. 

James


Links:
------
[1] mailto:jlay at ...3266...
[2]
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141204/d1bf76dd/attachment.html>


More information about the Snort-sigs mailing list