No subject


Thu Nov 23 16:34:03 EST 2017


inc ecx - A - \x41 =A0 =A0 =A0
inc edx - B - \x42 =A0 =A0 =A0
inc ebx - C - \x43 =A0 =A0 =A0
inc esp - D - \x44 =A0=A0

How about others?


Regards
YC

________________________________
 From: Eric G <eric at ...3692...>
To: Snort Users <snort-users at lists.sourceforge.net>=20
Sent: Wednesday, June 6, 2012 11:30 AM
Subject: Re: [Snort-users] [Snort-sigs] SHELLCODE base64 x86 NOOP
=20

On Jun 5, 2012 11:05 PM, "yew chuan Ong" <yewchuan_23 at ...144...> wrote:
>
> Hi All,
>
> Understand this sig is to tackle the possibility of no-op sled.
> But, why the content is just limited to the following repeating character=
s? Any ideas?
>
> "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"
> "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
> "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"
> "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"
> "RERERERERERERERERERERERERERERERER"
>
> Thanks!
>
> Regards
> YC
Forgive me if I'm mistaken, but that's because those are what the x86 NOP o=
pcodes look like on the wire.... Snort sees a bunch of NOPs chained togethe=
r pass by the sensor, and this rule fires off because the traffic looks sim=
ilar to malicious traffic that relies on using x86 NOP opcodes to control w=
here malicious shellcode can be injected onto the stack.
"The NOP allows an attacker to fill an address space with a large number of=
 NOPs followed by his or her code of choice. This allows "sledding" into th=
e attackers shellcode."
-from http://www.snort.org/search/sid/648
Mayne I'm not understanding your quesyion... are you saying that there othe=
r NOP opcodes that should be included? Or are you unsure of why there are r=
epeating patterns of text in the rule?
--
Eric
---------------------------------------------------------------------------=
---
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and=20
threat landscape has changed and how IT managers can respond. Discussions=20
will include endpoint security, mobile security and the latest in malware=20
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users

Please visit http://blog.snort.org to stay current on all the latest Snort =
news!=

--411857043-769534546-1338976306=:18676
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:ve=
rdana, helvetica, sans-serif;font-size:10pt"><div><span style=3D"font-size:=
 13px; ">Hi Eric,</span></div><div><span style=3D"font-size: small;"><br></=
span></div><div><span style=3D"font-size: small;">Thanks for your info.</sp=
an></div><div><span style=3D"font-size: small;"><br></span></div><div><span=
 style=3D"font-size: small;">Sorry for the confusion. What I am trying to a=
sk if why only these <span>NOP opcodes are choosen?</span></span></div=
><div><span style=3D"font-size: small;"><br></span></div><div><span style=
=3D"font-size: small;">From what I found, the current sig only look for the=
se:</span></div><div><span style=3D"font-size: 13px; "><div>inc ecx - A - \=
x41      </div><div>inc edx - B - \x42      <=
/div><div>inc ebx - C - \x43      </div><div><font>inc esp -=
 D - \x44   </font></div><div><font><br></font></div><div><font>H=
ow about
 others?</font></div><div><font><br></font></div><div><font><br></font></di=
v><div><font>Regards</font></div><div><font>YC</font></div></span></div>  <=
div style=3D"font-size: 10pt; font-family: verdana, helvetica, sans-serif; =
"> <div style=3D"font-size: 12pt; font-family: 'times new roman', 'new york=
', times, serif; "> <div dir=3D"ltr"> <font size=3D"2" face=3D"Arial"> <hr =
size=3D"1">  <b><span style=3D"font-weight:bold;">From:</span></b> Eric G &=
lt;eric at ...3692...><br> <b><span style=3D"font-weight: bold;">To:</span>=
</b> Snort Users <snort-users at lists.sourceforge.net> <br> <b><span st=
yle=3D"font-weight: bold;">Sent:</span></b> Wednesday, June 6, 2012 11:30 A=
M<br> <b><span style=3D"font-weight: bold;">Subject:</span></b> Re: [Snort-=
users] [Snort-sigs] SHELLCODE base64 x86 NOOP<br> </font> </div> <br>
<div id=3D"yiv447092864"><div>On Jun 5, 2012 11:05 PM, "yew chuan Ong" <=
<a rel=3D"nofollow" ymailto=3D"mailto:yewchuan_23 at ...144..." target=3D"_bla=
nk" href=3D"mailto:yewchuan_23 at ...144...">yewchuan_23 at ...144...</a>> wro=
te:<br>
><br>
> Hi All,<br>
><br>
> Understand this sig is to tackle the possibility of no-op sled.<br>
> But, why the content is just limited to the following repeating charac=
ters? Any ideas?<br>
><br>
> "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"<br>
> "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"<br>
> "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"<br>
> "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"<br>
> "RERERERERERERERERERERERERERERERER"<br>
><br>
> Thanks!<br>
><br>
> Regards<br>
> YC</div>
<div>Forgive me if I'm mistaken, but that's because those are what the x86 =
NOP opcodes look like on the wire.... Snort sees a bunch of NOPs chained to=
gether pass by the sensor, and this rule fires off because the traffic look=
s similar to malicious traffic that relies on using x86 NOP opcodes to cont=
rol where malicious shellcode can be injected onto the stack.</div>

<div>"The NOP allows an attacker to fill an address space with a large numb=
er of NOPs followed by his or her code of choice. This allows "sledding" in=
to the attackers shellcode."<br>
-from http://www.snort.org/search/sid/648</div>
<div>Mayne I'm not understanding your quesyion... are you saying that there=
 other NOP opcodes that should be included? Or are you unsure of why there =
are repeating patterns of text in the rule?</div>
<div>--<br>
Eric</div>
</div><br>-----------------------------------------------------------------=
-------------<br>Live Security Virtual Conference<br>Exclusive live event w=
ill cover all the ways today's security and <br>threat landscape has change=
d and how IT managers can respond. Discussions <br>will include endpoint se=
curity, mobile security and the latest in malware <br>threats. <a href=3D"h=
ttp://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" target=3D"_blank"=
>http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>_________=
______________________________________<br>Snort-users mailing list<br><a ym=
ailto=3D"mailto:Snort-users at lists.sourceforge.net" href=3D"mailto:Snort-use=
rs at lists.sourceforge.net">Snort-users at lists.sourceforge.net</a><br>Go to th=
is URL to change user options or unsubscribe:<br><a href=3D"https://lists.s=
ourceforge.net/lists/listinfo/snort-users" target=3D"_blank">https://lists.=
sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users list
 archive:<br><a href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnor=
t-users" target=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Ds=
nort-users</a><br><br>Please visit <a href=3D"http://blog.snort.org" target=
=3D"_blank">http://blog.snort.org</a> to stay current on all the latest Sno=
rt news!<br><br> </div> </div>  </div></body></html>=

--411857043-769534546-1338976306=:18676--




More information about the Snort-sigs mailing list