[Emerging-Sigs] Binary Packer Signatures

dxp dxp2532 at gmail.com
Thu Jan 22 10:44:40 EST 2009


It should be interesting to see how this project works out.  The idea is
good but I think it requires a lot of testing and tuning.  A quick run
through several different pcaps produced lots of FP on sid:20091157
([Ste at lth PE 1.01 -> BGCorp]).

I'm applying your sigs to my test sensors and if there are any issues
then I'll post them here.
I'm working on similar research to identify malicious binaries so these
sigs should definitely help.

Also, it looks like the PEiD database you have is a bit dated.  It would
be nice to have an updated set for these rules.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Wed, 2009-01-21 at 17:08 -0500, Josh Smith wrote:

> I've been working (when I can get the chance from school) in my spare
> time on converting the PEiD packer database straight to snort
> signatures.  I've refined them to specific byte patterns, but when I
> tested a pcap of a transferred binary packed with UPX, about 10
> signatures fired off.  There are a little over 1800 signatures that I
> have converted, but I feel they still need refining to reduce false
> positives.  Attached is the snort signature database I have made,
> along with my PEiD database.
> 
> -Josh Smith
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090122/333a7aaf/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090122/333a7aaf/attachment.bin


More information about the Emerging-sigs mailing list