[Snort-sigs] question about a content string
scorellis at ...2420...
Fri Jul 29 10:53:25 EDT 2016
I have run across the following content string in a rule that seems to be
Here is the entire rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex
content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only;
classtype:shellcode-detect; sid:2013273; rev:1;)
Searching a decompressed packet capture (which are gzip http) returns
neither a string of hexidecimal :
5C 41 5C 41 ...
nor a 41 41 41 41 (as the rule msg suggests)
nor a \41\41\41
there are, however, at least 9 hexidecimal 41s within a 900 byte segment.
According to the snort manual, "The binary data is _generally_ enclosed
within the pipe (4#4) character and represented as bytecode"
What is meant by "generally"? The most likely explanation of the x is that
it's trying to say that it's hex, but the documentation
So, at the end, here are my three questions:
1. does the "x" stand for hex?
2. is the "fast_pattern:only" keyword causing this thing to be way more
sensitive than it should be to the presence of 41s?
3. What is the solution to this (multiple choice): A) is there already a
rule for this threat in the GPL, B) should this rule be rewritten (if so,
how), or C) Is this an irrelevant rule that should just be disabled?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs