[Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?

Paul Halliday paul.halliday at gmail.com
Wed Dec 12 06:33:05 HAST 2012


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
Possible Call with No Offset TCP Shellcode"; flow:established;
content:"|E8 00 00 00 00 58|"; fast_pattern:only;
reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
classtype:shellcode-detect; sid:2012086; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
Possible Call with No Offset TCP Shellcode"; flow:established;
content:"|E8 00 00 00 00 8F|"; fast_pattern:only;
reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
classtype:shellcode-detect; sid:2012088; rev:1;)

-- 
Paul Halliday
http://www.pintumbler.org/


More information about the Emerging-sigs mailing list