[Snort-sigs] fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)?

Cyrille Bollu cyrille.bollu at ...2420...
Tue Jan 14 10:08:38 EST 2014


Hi,

As of today, the "GPL SHELLCODE x86 inc ebx NOOP" rule uses the
fast_pattern:only modifier.

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL
SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

This means that this rule will also trigger on "cccccccccccccccccc" content
(as explained in http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html :
"It is important to know that because the fast pattern matcher is case
agnostic, any match that is marked as *fast_pattern:only;* acts as if it
had the *nocase;* modifier.").

Is it really intended?

I don't know much about shellcodes. But, Google doesn't seem to think that
"ccccccc..." is NOP sled.

At least, it definitivelt doesn't match the signature message; In this
case, this would be more a "ARPL NOOP".

How could I've that corrected?

Best regards,

Cyrille
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140114/11d5ce3b/attachment.html>


More information about the Snort-sigs mailing list