[Snort-users] Team0x42 Snort rules

Lurene A Grenier lurene.grenier at ...1935...
Mon Apr 7 18:05:44 EDT 2008


In addition you might want to note that the MSF default behavior is to
encode all shellcode and append a decoder to the beginning of the payload,
so none of those MSF shellcode rules will work except the HPUX on PA-RISC
because it lacks a valid encoder (though HPUX on ia64 should still be
undetectable with that rule).

I'm not in Brooklyn but I am crafty.

_________________________
Lurene A Grenier, 
Analyst Team Lead
Senior Research Engineer
 
Office: (410) 423-1918
Mobile: (703) 839-3898
                 ,,_
SourceFire Inc. o"  )~
                 ''''


-----Original Message-----
From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Brian
Caswell
Sent: Monday, April 07, 2008 6:00 PM
To: TheWell
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Team0x42 Snort rules

On Apr 7, 2008, at 5:01 PM, TheWell wrote:
> Some good snort rules by Team0x42

Team B,

Really?

I see 5 rules that are all basically the same thing.  Perhaps you  
should update your regular expression to include all 5 cases you  
attempt to cover in 1 rule.

The following regular expression is released under the license to ill,  
however you may not use it unless you are in Brooklyn, and you did not  
sleep while traveling to said city.

(\%(60|3b|7c|00)|<)

Brian

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Register now and save $200. Hurry, offer ends at 11:59 p.m., 
Monday, April 7! Use priority code J8TLD2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javao
ne
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list