[Snort-users] Team0x42 Snort rules

Lurene A Grenier lurene.grenier at ...1935...
Mon Apr 7 18:05:44 EDT 2008

In addition you might want to note that the MSF default behavior is to
encode all shellcode and append a decoder to the beginning of the payload,
so none of those MSF shellcode rules will work except the HPUX on PA-RISC
because it lacks a valid encoder (though HPUX on ia64 should still be
undetectable with that rule).

I'm not in Brooklyn but I am crafty.

Lurene A Grenier, 
Analyst Team Lead
Senior Research Engineer
Office: (410) 423-1918
Mobile: (703) 839-3898
SourceFire Inc. o"  )~

-----Original Message-----
From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Brian
Sent: Monday, April 07, 2008 6:00 PM
To: TheWell
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Team0x42 Snort rules

On Apr 7, 2008, at 5:01 PM, TheWell wrote:
> Some good snort rules by Team0x42

Team B,


I see 5 rules that are all basically the same thing.  Perhaps you  
should update your regular expression to include all 5 cases you  
attempt to cover in 1 rule.

The following regular expression is released under the license to ill,  
however you may not use it unless you are in Brooklyn, and you did not  
sleep while traveling to said city.



This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Register now and save $200. Hurry, offer ends at 11:59 p.m., 
Monday, April 7! Use priority code J8TLD2. 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list