[Discussion] Binary Signature Detection

Victor Julien lists at inliniac.net
Mon Jan 26 11:44:58 UTC 2009


Hi Josh, thanks for bringing this up!

Josh Smith wrote:
> I have been working on converting the PEiD database of binary packer
> signatures straight to snort signatures.  I've been refining my
> signatures with other members from Emerging Threats, and have over
> 10,000 snort signatures for packers.  I was told this may be a good
> topic to bring up (binary packer detection) for OISF.

10k sigs is quite a lot :) Can you tell something about the nature of
these sigs? Are they complex, or do they just use one content match for
example?

Should they be matches against full packets and streams or would we be
able to match them against a small part of it?

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Discussion mailing list