[Snort-sigs] SID 651
mkettler at ...189...
Thu Apr 25 11:29:08 EDT 2002
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE
x86 stealth NOOP"; content: "|eb 02 eb 02 eb 02|";
reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:5;)
Binary data in an IP packet matched one kind of byte sequence used as
filler in buffer overflow attacks.
It is possible someone was attempting to buffer overflow and gain
unauthorized access to one of your servers.
This rule triggers when a binary pattern appears in any IP packet contents
which matches one form of filler-byte used in buffer overflow attacks.
Buffer overflows allow execution of arbitrary code with the privilege level
of the affected server process. A very detailed discussion of how basic
buffer overflows work can be found in the text of "Smashing the stack for
fun and profit" by Aleph One in Phrack #49.
If the attacker suspects you have a server which is vulnerable to buffer
overflow, they will attempt to exploit this vulnerability to gain access.
Ease of Attack:
Tools that use buffer overflows with stealth nop are widely available.
Quite likely. This byte pattern can naturally occur in almost any binary
data, so file downloads, streaming media, etc can cause this to false
positive. If this traffic appears to be coming from a web or ftp server
outside your network to one of your client machines, it is likely a false
alert caused by someone downloading a binary file. If this was directed at
a port on one of your machines which is running a server process, you may
want to check to see if it has been exploited.
Unlikely, however other forms of buffer overflow "nop-fill" do exist and
can be used to perform a buffer overflow without triggering this signature.
Ensure all of your systems have proper security updates applied to reduce
the chances of a buffer overflow being effective. This is particularly
important for mail, news, DNS, web and other servers, but these attacks can
be used against client machines in some cases as well. If this rule causes
a large number of false alerts in your applications consider tuning the
ports in $SHELLCODE_PORTS, or revising the list of machines monitored.
Matt Kettler <shwalker.geo at ...144...>
"Smashing the stack for fun and profit" by Aleph One in Phrack #49
More information about the Snort-sigs