[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] shell code rules
From:       Matt Kettler <mkettler () evi-inc ! com>
Date:       2003-11-14 0:08:02
[Download RAW message or body]

At 05:33 PM 11/13/2003, Russell Fulton wrote:
>I assert that this is incorrect and that the $SHELLCODE_PORTS should be
>on the source port, not the destination, since data returned in web
>pages will have a *source* port of 80.

Agreed wholeheartedly. All you'll wind up ignoring with the default 
configuration is HTTP requests to a server on your home network...

I guess if you have URI's that look like shellcode, this might make sense...

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html 
would be a great way to trigger the x86 nop rule.. However, I suspect not 
many people have any filenames on their website which contain > 24 a's.





-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]