[Snort-sigs] SID 651

Matt Kettler mkettler at ...189...
Thu Apr 25 11:29:08 EDT 2002

x86 stealth NOOP";   content: "|eb 02 eb 02 eb 02|"; 
reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:5;)


Binary data in an IP packet matched one kind of byte sequence used as 
filler in buffer overflow attacks.

It is possible someone was attempting to buffer overflow and gain 
unauthorized access to one of your servers.

Detailed Information:
This rule triggers when a binary pattern appears in any IP packet contents 
which matches one form of filler-byte used in buffer overflow attacks. 
Buffer overflows allow execution of arbitrary code with the privilege level 
of the affected server process. A very detailed discussion of how basic 
buffer overflows work can be found in the text of "Smashing the stack for 
fun and profit" by Aleph One in Phrack #49.

Attack Scenarios:
If the attacker suspects you have a server which is vulnerable to buffer 
overflow, they will attempt to exploit this vulnerability to gain access.

Ease of Attack:
Tools that use buffer overflows with stealth nop are widely available.

False Positives:
Quite likely. This byte pattern can naturally occur in almost any binary 
data, so file downloads, streaming media, etc can cause this to false 
positive. If this traffic appears to be coming from a web or ftp server 
outside your network to one of your client machines, it is likely a false 
alert caused by someone downloading a binary file. If this was directed at 
a port on one of your machines which is running a server process, you may 
want to check to see if it has been exploited.

False Negatives:
Unlikely, however other forms of buffer overflow "nop-fill" do exist and 
can be used to perform a buffer overflow without triggering this signature.

Corrective Action:
Ensure all of your systems have proper security updates applied to reduce 
the chances of a buffer overflow being effective. This is particularly 
important for mail, news, DNS, web and other servers, but these attacks can 
be used against client machines in some cases as well. If this rule causes 
a large number of false alerts in your applications consider tuning the 
ports in $SHELLCODE_PORTS, or revising the list of machines monitored.

Matt Kettler <shwalker.geo at ...144...>

Additional References:

"Smashing the stack for fun and profit" by Aleph One in Phrack #49


More information about the Snort-sigs mailing list