[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] fast_pattern:only in rule 2101390 (GPL SHELLCODE x86 inc ebx NOOP)?
From: Cyrille Bollu <cyrille.bollu () gmail ! com>
Date: 2014-01-14 15:08:38
Message-ID: CAAymSK5jqHN666L5Dyd8qFYbAGDjLvGJQra-EHrRgVfEJ5Z1ww () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
As of today, the "GPL SHELLCODE x86 inc ebx NOOP" rule uses the
fast_pattern:only modifier.
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL
SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC";
fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
This means that this rule will also trigger on "cccccccccccccccccc" content
(as explained in http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html :
"It is important to know that because the fast pattern matcher is case
agnostic, any match that is marked as *fast_pattern:only;* acts as if it
had the *nocase;* modifier.").
Is it really intended?
I don't know much about shellcodes. But, Google doesn't seem to think that
"ccccccc..." is NOP sled.
At least, it definitivelt doesn't match the signature message; In this
case, this would be more a "ARPL NOOP".
How could I've that corrected?
Best regards,
Cyrille
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div>Hi, <br><br></div>As of today, the "GPL SHELLCODE \
x86 inc ebx NOOP" rule uses the fast_pattern:only modifier.<br><br>alert ip \
$EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc \
ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; \
classtype:shellcode-detect; sid:2101390; rev:7;)<br> <br></div>This means that this \
rule will also trigger on "cccccccccccccccccc" content (as explained in <a \
href="http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html">http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html</a> \
: "It is important to know that because the fast pattern matcher is case \
agnostic, any match that is marked as <strong>fast_pattern:only;</strong> acts as if \
it had the <strong>nocase;</strong> modifier.").<br> <br></div>Is it really \
intended? <br><div><div><br></div><div>I don't know much about shellcodes. But, \
Google doesn't seem to think that "ccccccc..." is NOP sled.<br><br>At \
least, it definitivelt doesn't match the signature message; In this case, this \
would be more a "ARPL NOOP".<br> <br></div><div>How could I've that \
corrected?<br><br></div><div>Best regards,<br><br>Cyrille<br></div></div></div>
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic