Re: Experimental Shellcode ?

[Chris Green <cmg () uab edu>]

Render-Vue <sales () render-vue com> writes:

> Hi Yah,
>
> Noticed this one from version 1.8.3 logs
>
> EXPERIMENTAL SHELLCODE x86 NOOP
> 2 209.52.171.15 -> xxx.xxx.64.121
>
> I've done a search on google etc but can't find an explaination. Can
> anyone enlighten me please


A NOOP is a computer instruction to do nothing.   They are often used
to pad buffer overflow exploits so typically you would look at the
full packet data and find the context of the packet and find out if it
was something against something neat like a rpc service or something
mundane like the middle of an MP3.

The rule that set it off looks like:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61
61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394;
rev:1;)
-- 
Chris Green <cmg () uab edu>
A good pun is its own reword.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users