[Snort-users] Experimental Shellcode ?

Chris Green cmg at ...671...
Tue Feb 19 13:55:06 EST 2002


Render-Vue <sales at ...4295...> writes:

> Hi Yah,
>
> Noticed this one from version 1.8.3 logs
>
> EXPERIMENTAL SHELLCODE x86 NOOP
> 2 209.52.171.15 -> xxx.xxx.64.121
>
> I've done a search on google etc but can't find an explaination. Can
> anyone enlighten me please


A NOOP is a computer instruction to do nothing.   They are often used
to pad buffer overflow exploits so typically you would look at the
full packet data and find the context of the packet and find out if it
was something against something neat like a rpc service or something
mundane like the middle of an MP3.

The rule that set it off looks like:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61
61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394;
rev:1;)
-- 
Chris Green <cmg at ...671...>
A good pun is its own reword.




More information about the Snort-users mailing list