Re: [Snort-users] Team0x42 Snort rules

Everyone knows Team0x41 pwns all

Shirkdog
' or 1=1-- 

http://www.shirkdog.us

> From: lurene.grenier@sourcefire.com
> To: TheWell@team0x42.homeunix.org
> Date: Mon, 7 Apr 2008 18:05:44 -0400
> CC: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
>
> In addition you might want to note that the MSF default behavior is to
> encode all shellcode and append a decoder to the beginning of the payload,
> so none of those MSF shellcode rules will work except the HPUX on PA-RISC
> because it lacks a valid encoder (though HPUX on ia64 should still be
> undetectable with that rule).
>
> I'm not in Brooklyn but I am crafty.
>
> _________________________
> Lurene A Grenier, 
> Analyst Team Lead
> Senior Research Engineer
>  
> Office: (410) 423-1918
> Mobile: (703) 839-3898
>                  ,,_
> SourceFire Inc. o"  )~
>                  ''''
>
>
> -----Original Message-----
> From: snort-users-bounces@lists.sourceforge.net
> [mailto:snort-users-bounces@lists.sourceforge.net] On Behalf Of Brian
> Caswell
> Sent: Monday, April 07, 2008 6:00 PM
> To: TheWell
> Cc: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Team0x42 Snort rules
>
> On Apr 7, 2008, at 5:01 PM, TheWell wrote:
> > Some good snort rules by Team0x42
>
> Team B,
>
> Really?
>
> I see 5 rules that are all basically the same thing.  Perhaps you  
> should update your regular expression to include all 5 cases you  
> attempt to cover in 1 rule.
>
> The following regular expression is released under the license to ill,  
> however you may not use it unless you are in Brooklyn, and you did not  
> sleep while traveling to said city.
>
> (\%(60|3b|7c|00)|<)
>
> Brian
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Register now and save $200. Hurry, offer ends at 11:59 p.m., 
> Monday, April 7! Use priority code J8TLD2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javao
> ne
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Register now and save $200. Hurry, offer ends at 11:59 p.m., 
> Monday, April 7! Use priority code J8TLD2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_042008

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Register now and save $200. Hurry, offer ends at 11:59 p.m., 
Monday, April 7! Use priority code J8TLD2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users