Re: [Snort-users] Team0x42 Snort rules

This is a discussion on Re: [Snort-users] Team0x42 Snort rules within the Snort forums, part of the System Security and Security Related category; --===============1794587161== Content-Type: multipart/alternative; boundary="_f2cc7d17-db1d-4faf-be3f-14886dc02f49_" --_f2cc7d17-db1d-4faf-be3f-14886dc02f49_ Content-Type: ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] Team0x42 Snort rules

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-07-2008
M. Shirk
 
Posts: n/a
Default Re: [Snort-users] Team0x42 Snort rules
--===============1794587161==
Content-Type: multipart/alternative;
boundary="_f2cc7d17-db1d-4faf-be3f-14886dc02f49_"

--_f2cc7d17-db1d-4faf-be3f-14886dc02f49_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Everyone knows Team0x41 pwns all

Shirkdog
' or 1=3D1-- =0A=

http://www.shirkdog.us

> From: lurene.grenier@sourcefire.com
> To: TheWell@team0x42.homeunix.org
> Date: Mon, 7 Apr 2008 18:05:44 -0400
> CC: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
>=20
> In addition you might want to note that the MSF default behavior is to
> encode all shellcode and append a decoder to the beginning of the payload=
,
> so none of those MSF shellcode rules will work except the HPUX on PA-RISC
> because it lacks a valid encoder (though HPUX on ia64 should still be
> undetectable with that rule).
>=20
> I'm not in Brooklyn but I am crafty.
>=20
> _________________________
> Lurene A Grenier,=20
> Analyst Team Lead
> Senior Research Engineer
> =20
> Office: (410) 423-1918
> Mobile: (703) 839-3898
> ,,_
> SourceFire Inc. o" )~
> ''''
>=20
>=20
> -----Original Message-----
> From: snort-users-bounces@lists.sourceforge.net
> [mailto:snort-users-bounces@lists.sourceforge.net] On Behalf Of Brian
> Caswell
> Sent: Monday, April 07, 2008 6:00 PM
> To: TheWell
> Cc: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
>=20
> On Apr 7, 2008, at 5:01 PM, TheWell wrote:
> > Some good snort rules by Team0x42
>=20
> Team B,
>=20
> Really?
>=20
> I see 5 rules that are all basically the same thing. Perhaps you =20
> should update your regular expression to include all 5 cases you =20
> attempt to cover in 1 rule.
>=20
> The following regular expression is released under the license to ill, =20
> however you may not use it unless you are in Brooklyn, and you did not =20
> sleep while traveling to said city.
>=20
> (\%(60|3b|7c|00)|<)
>=20
> Brian
>=20
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference=20
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,=20
> Monday, April 7! Use priority code J8TLD2.=20
> http://ad.doubleclick.net/clk;198757...va.sun.com/ja=
vao
> ne
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>=20
>=20
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference=20
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,=20
> Monday, April 7! Use priority code J8TLD2.=20
> http://ad.doubleclick.net/clk;198757...va.sun.com/ja=
vaone
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users

__________________________________________________ _______________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger...d=3DTXT_TAGLM=
_WL_Refresh_messenger_video_042008=

--_f2cc7d17-db1d-4faf-be3f-14886dc02f49_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
..hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class=3D'hmmessage'><div style=3D"text-align: left;">Everyone knows T=
eam0x41 pwns all<br></div><br>Shirkdog<br>' or 1=3D1-- =0A=
<br>http://www.shirkdog.us<br><br><hr id=3D"stopSpelling">&gt; From: lurene=
..grenier@sourcefire.com<br>&gt; To: TheWell@team0x42.homeunix.org<br>&gt; D=
ate: Mon, 7 Apr 2008 18:05:44 -0400<br>&gt; CC: snort-users@lists.sourcefor=
ge.net<br>&gt; Subject: Re: [Snort-users] Team0x42 Snort rules<br>&gt; <br>=
&gt; In addition you might want to note that the MSF default behavior is to=
<br>&gt; encode all shellcode and append a decoder to the beginning of the =
payload,<br>&gt; so none of those MSF shellcode rules will work except the =
HPUX on PA-RISC<br>&gt; because it lacks a valid encoder (though HPUX on ia=
64 should still be<br>&gt; undetectable with that rule).<br>&gt; <br>&gt; I=
'm not in Brooklyn but I am crafty.<br>&gt; <br>&gt; ______________________=
___<br>&gt; Lurene A Grenier, <br>&gt; Analyst Team Lead<br>&gt; Senior Res=
earch Engineer<br>&gt; <br>&gt; Office: (410) 423-1918<br>&gt; Mobile: (70=
3) 839-3898<br>&gt; ,,_<br>&gt; SourceFire Inc. o" )~<br>=
&gt; ''''<br>&gt; <br>&gt; <br>&gt; -----Original Message-=
----<br>&gt; From: snort-users-bounces@lists.sourceforge.net<br>&gt; [mailt=
o:snort-users-bounces@lists.sourceforge.net] On Behalf Of Brian<br>&gt; Cas=
well<br>&gt; Sent: Monday, April 07, 2008 6:00 PM<br>&gt; To: TheWell<br>&g=
t; Cc: snort-users@lists.sourceforge.net<br>&gt; Subject: Re: [Snort-users]=
Team0x42 Snort rules<br>&gt; <br>&gt; On Apr 7, 2008, at 5:01 PM, TheWell =
wrote:<br>&gt; &gt; Some good snort rules by Team0x42<br>&gt; <br>&gt; Team=
B,<br>&gt; <br>&gt; Really?<br>&gt; <br>&gt; I see 5 rules that are all ba=
sically the same thing. Perhaps you <br>&gt; should update your regular e=
xpression to include all 5 cases you <br>&gt; attempt to cover in 1 rule.<=
br>&gt; <br>&gt; The following regular expression is released under the lic=
ense to ill, <br>&gt; however you may not use it unless you are in Brookly=
n, and you did not <br>&gt; sleep while traveling to said city.<br>&gt; <b=
r>&gt; (\%(60|3b|7c|00)|&lt;)<br>&gt; <br>&gt; Brian<br>&gt; <br>&gt; -----=
--------------------------------------------------------------------<br>&gt=
; This SF.net email is sponsored by the 2008 JavaOne(SM) Conference <br>&gt=
; Register now and save $200. Hurry, offer ends at 11:59 p.m., <br>&gt; Mon=
day, April 7! Use priority code J8TLD2. <br>&gt; http://ad.doubleclick.net/=
clk;198757673;13503038;p?http://java.sun.com/javao<br>&gt; ne<br>&gt; _____=
__________________________________________<br>&gt; Snort-users mailing list=
<br>&gt; Snort-users@lists.sourceforge.net<br>&gt; Go to this URL to change=
user options or unsubscribe:<br>&gt; https://lists.sourceforge.net/lists/l=
istinfo/snort-users<br>&gt; Snort-users list archive:<br>&gt; http://www.ge=
ocrawler.com/redir-sf.php3?list=3Dsnort-users<br>&gt; <br>&gt; <br>&gt; ---=
----------------------------------------------------------------------<br>&=
gt; This SF.net email is sponsored by the 2008 JavaOne(SM) Conference <br>&=
gt; Register now and save $200. Hurry, offer ends at 11:59 p.m., <br>&gt; M=
onday, April 7! Use priority code J8TLD2. <br>&gt; http://ad.doubleclick.ne=
t/clk;198757673;13503038;p?http://java.sun.com/javaone<br>&gt; ____________=
___________________________________<br>&gt; Snort-users mailing list<br>&gt=
; Snort-users@lists.sourceforge.net<br>&gt; Go to this URL to change user o=
ptions or unsubscribe:<br>&gt; https://lists.sourceforge.net/lists/listinfo=
/snort-users<br>&gt; Snort-users list archive:<br>&gt; http://www.geocrawle=
r.com/redir-sf.php3?list=3Dsnort-users<br><br /><hr />Use video conversatio=
n to talk face-to-face with Windows Live Messenger. <a href=3D'http://www.w=
indowslive.com/messenger/connect_your_way.html?ocid=3DTXT_TAGLM_WL_Refresh_ =
messenger_video_042008' target=3D'_new'>Get started!</a></body>
</html>=

--_f2cc7d17-db1d-4faf-be3f-14886dc02f49_--


--===============1794587161==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
--===============1794587161==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============1794587161==--

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 03:30 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0