'Re: [Snort-sigs] SHELLCODE rules'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] SHELLCODE rules
From:       Russell Fulton <r.fulton () auckland ! ac ! nz>
Date:       2002-07-16 21:36:09
[Download RAW message or body]

On Tue, 2002-07-16 at 23:41, Detmar Liesen wrote:
> Hi folks,
> I have a question regarding shellcode rules.
> We all know that some of those rules generate a huge amount of false
> positives.
> I think I remember some people on the list have recommended disabling those
> rules entirely.
> 
> There are  basically two rules that generate lots of false positives:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
> content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
> reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;)
> 

Newer versions of the rules have
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS

where $SHELLCODE_PORTS = !80

This does not help since the data is returned from the server.  A better
solution would be to have

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any

With version 1.9 you have the flow attribute which would allow:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"..."; flow: to_server;
...) -- if I have the syntax right...

which would also cut down the false +ves.  Of course this will  not
detect malicious servers lauching attacks on clients.

What I have done is to make a new classification "Shell code NOOPs" with
a priority of three rather than one.  I still find the NOOP detects
useful, they pick up attacks that don't have specific signatures yet.
For example if I see portmapper request and then NOOPs to a high
numbered port I know that something happened.

Cheers, Russell




-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic