[Snort-users] Team0x42 Snort rules

M. Shirk shirkdog_list at ...125...
Mon Apr 7 18:16:58 EDT 2008


Everyone knows Team0x41 pwns all

Shirkdog
' or 1=1-- 

http://www.shirkdog.us

> From: lurene.grenier at ...1935...
> To: TheWell at ...14327...
> Date: Mon, 7 Apr 2008 18:05:44 -0400
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
> 
> In addition you might want to note that the MSF default behavior is to
> encode all shellcode and append a decoder to the beginning of the payload,
> so none of those MSF shellcode rules will work except the HPUX on PA-RISC
> because it lacks a valid encoder (though HPUX on ia64 should still be
> undetectable with that rule).
> 
> I'm not in Brooklyn but I am crafty.
> 
> _________________________
> Lurene A Grenier, 
> Analyst Team Lead
> Senior Research Engineer
>  
> Office: (410) 423-1918
> Mobile: (703) 839-3898
>                  ,,_
> SourceFire Inc. o"  )~
>                  ''''
> 
> 
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Brian
> Caswell
> Sent: Monday, April 07, 2008 6:00 PM
> To: TheWell
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
> 
> On Apr 7, 2008, at 5:01 PM, TheWell wrote:
> > Some good snort rules by Team0x42
> 
> Team B,
> 
> Really?
> 
> I see 5 rules that are all basically the same thing.  Perhaps you  
> should update your regular expression to include all 5 cases you  
> attempt to cover in 1 rule.
> 
> The following regular expression is released under the license to ill,  
> however you may not use it unless you are in Brooklyn, and you did not  
> sleep while traveling to said city.
> 
> (\%(60|3b|7c|00)|<)
> 
> Brian
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Register now and save $200. Hurry, offer ends at 11:59 p.m., 
> Monday, April 7! Use priority code J8TLD2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javao
> ne
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Register now and save $200. Hurry, offer ends at 11:59 p.m., 
> Monday, April 7! Use priority code J8TLD2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_042008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080407/68133a3c/attachment.html>


More information about the Snort-users mailing list