ET DELETED SHELLCODE ADMutate polymorphic payload

SID: 2003119Rev: 40 views
History
Sourceet/open
CreatedJuly 30, 2010
UpdatedJuly 26, 2019
Classificationshellcode-detect
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize:>45; content:"|e8|"; content:"|ff ff ff|"; distance:1; within:3; pcre:"/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, signature_severity Unknown, updated_at 2019_07_26;)

References

urltoorcon.org/2006/conference.html?id=29

Metadata

created at2010_07_30
signature severityUnknown
updated at2019_07_26

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!