[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] SHELLCODE rules
From: Russell Fulton <r.fulton () auckland ! ac ! nz>
Date: 2002-07-16 21:36:09
[Download RAW message or body]
On Tue, 2002-07-16 at 23:41, Detmar Liesen wrote:
> Hi folks,
> I have a question regarding shellcode rules.
> We all know that some of those rules generate a huge amount of false
> positives.
> I think I remember some people on the list have recommended disabling those
> rules entirely.
>
> There are basically two rules that generate lots of false positives:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
> content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
> reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;)
>
Newer versions of the rules have
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS
where $SHELLCODE_PORTS = !80
This does not help since the data is returned from the server. A better
solution would be to have
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
With version 1.9 you have the flow attribute which would allow:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"..."; flow: to_server;
...) -- if I have the syntax right...
which would also cut down the false +ves. Of course this will not
detect malicious servers lauching attacks on clients.
What I have done is to make a new classification "Shell code NOOPs" with
a priority of three rather than one. I still find the NOOP detects
useful, they pick up attacks that don't have specific signatures yet.
For example if I see portmapper request and then NOOPs to a high
numbered port I know that something happened.
Cheers, Russell
-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic