INDICATOR-SHELLCODE --
INDICATOR-SHELLCODE x86 inc ebx NOOP
This event is generated when an attempt is made to execute shellcode on a host in the protected network from a source external to that network. Impact: This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. Details: This is the x86 opcode for 'inc ebx'. This can be used as a NOOP in an x86 architecture, however as with all shellcode rules, this can cause false positives. Check to see if you are ignoring shellcode rules on web ports, as this will reduce false positives. Ease of Attack: This is a generic rule designed to pick up this opcode in use.
No information provided
No public information
Known false positives, with the described conditions
This will false positive if rule is not ignoring clear text ports every time snort sees 24 'C' characters (hex code of 43) in a row. This is the x86 opcode for 'inc ebx'. This can be used as a NOOP in an x86 architecture, however as with all shellcode rules, this can cause false positives.
Cisco Talos Brian Caswell Mike Poor Nigel Houghton
No rule groups
None
No information provided
None
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
