[Snort-sigs] SID 39379 Norton Antivirus ASPack

Y M snort at ...3751...
Mon Feb 13 15:24:09 EST 2017


You can check the code in the src/ directory of the rules tarball.


so_rules/src/file-executable_norton-av-aspack-heap-corruption.c


YM

________________________________
From: Charlie Dyer <charlierwdyer at ...2420...>
Sent: Monday, February 13, 2017 11:18:10 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] SID 39379 Norton Antivirus ASPack

Thanks, how do I see the compiled code which is the root cause of this false positive I'm seeing?
I'm seeing an Acrobat Reader executable being pushed out causing alerts for this rule.

On Mon, Feb 13, 2017 at 8:10 PM, Y M <snort at ...3751...<mailto:snort at ...3886......>> wrote:
A similar question came up the other day. This is a gid:3 rule, a Shared Object rule. The detection part is actually a compiled code and what you see is the rule stub. The flowbits is set by another rule to make sure that the detection alerts on executable files.

https://www.snort.org/faq/shared-object-rules

YM


________________________________
From: Charlie Dyer <charlierwdyer at ...2420...<mailto:charlierwdyer at ...3420....>>
Sent: Monday, February 13, 2017 11:01:50 PM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Subject: [Snort-sigs] SID 39379 Norton Antivirus ASPack

Hello list

Could anyone shed light on the rule 39379?

I can't see any content matching, it simply alerts on any file that is an executable being downloaded, is that right?
If so, what has this got to do with Norton Antivirus?

Many thanks in advance.

Charlie

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170213/3d5549c1/attachment.html>


More information about the Snort-sigs mailing list