[Snort-sigs] Shellocode x86 inc ebx signatures

Andreas Östling andreaso at ...58...
Fri Aug 9 09:03:53 EDT 2002


On Fri, 9 Aug 2002, Ian Macdonald wrote:

> I am seeing a lot of alerts being triggered by the Shellcode x86 inc ebx
> signature. I see a lot of the packects have JFIF, which I think is the
> identifier for a type of JPEG. In order to reduce false positives would it
> make sense to put a (not "JFIF") connect match in this signature. Or would
> this open up the possibility of someone doing a buffer overflow that has
> JFIF in the string so it would be able to by pass the IDS?

There is always a risk with that...

I think the 'flow' keyword in the upcoming snort 1.9 will be extremely
useful for these things. Then you can make sure that the packet is
actually going to the server side, and avoid those false positives due to
images and such in packets going back to the client side.

/Andreas






More information about the Snort-sigs mailing list