[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] shell code rules
From: Matt Kettler <mkettler () evi-inc ! com>
Date: 2003-11-14 0:08:02
[Download RAW message or body]
At 05:33 PM 11/13/2003, Russell Fulton wrote:
>I assert that this is incorrect and that the $SHELLCODE_PORTS should be
>on the source port, not the destination, since data returned in web
>pages will have a *source* port of 80.
Agreed wholeheartedly. All you'll wind up ignoring with the default
configuration is HTTP requests to a server on your home network...
I guess if you have URI's that look like shellcode, this might make sense...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html
would be a great way to trigger the x86 nop rule.. However, I suspect not
many people have any filenames on their website which contain > 24 a's.
-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic