[Snort-sigs] fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)?
cyrille.bollu at ...2420...
Tue Jan 14 10:08:38 EST 2014
As of today, the "GPL SHELLCODE x86 inc ebx NOOP" rule uses the
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL
SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
This means that this rule will also trigger on "cccccccccccccccccc" content
(as explained in http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html :
"It is important to know that because the fast pattern matcher is case
agnostic, any match that is marked as *fast_pattern:only;* acts as if it
had the *nocase;* modifier.").
Is it really intended?
I don't know much about shellcodes. But, Google doesn't seem to think that
"ccccccc..." is NOP sled.
At least, it definitivelt doesn't match the signature message; In this
case, this would be more a "ARPL NOOP".
How could I've that corrected?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs