[Snort-users] [Snort-sigs] SHELLCODE base64 x86 NOOP

Eric G eric at ...15503...
Tue Jun 5 23:30:29 EDT 2012


On Jun 5, 2012 11:05 PM, "yew chuan Ong" <yewchuan_23 at ...131...> wrote:
>
> Hi All,
>
> Understand this sig is to tackle the possibility of no-op sled.
> But, why the content is just limited to the following repeating
characters? Any ideas?
>
> "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"
> "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
> "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"
> "kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"
> "RERERERERERERERERERERERERERERERER"
>
> Thanks!
>
> Regards
> YC

Forgive me if I'm mistaken, but that's because those are what the x86 NOP
opcodes look like on the wire.... Snort sees a bunch of NOPs chained
together pass by the sensor, and this rule fires off because the traffic
looks similar to malicious traffic that relies on using x86 NOP opcodes to
control where malicious shellcode can be injected onto the stack.

"The NOP allows an attacker to fill an address space with a large number of
NOPs followed by his or her code of choice. This allows "sledding" into the
attackers shellcode."
-from http://www.snort.org/search/sid/648

Mayne I'm not understanding your quesyion... are you saying that there
other NOP opcodes that should be included? Or are you unsure of why there
are repeating patterns of text in the rule?

--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120605/87f5d405/attachment.html>


More information about the Snort-users mailing list