[Snort-sigs] inc ebx NOOP Shellcode detection statefulness?

Curt Wilson curtw at ...2002...
Tue Nov 4 09:47:04 EST 2003


Dear snort-sigs community:

I'm using snort Version 2.0.0 (Build 72) on RHL 9.0.

snort.conf:

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

I've enabled shellcode alerting. Often, jpg/JFIF files will trigger 
SHELLCODE x86 inc ebx NOOP alerts on ACK packets where source port = 80, 
destination = ephemeral. I don't want to include !1024:65535 (or other such 
smaller range) in my SHELLCODE_PORTS var in case a shellcode attack lands 
on some other high port. Any way to make this stateful?

I know that the shellcode detection is limited, easy to evade, and prone to 
false positives, so you don't need to waste words on that subject. I've 
done some searching but have not found this exact topic (after about 45 min 
of searching - it's always possible that I missed the data that I need, if 
that's the case, please excuse the redundancy). Upgrading snort may or may 
not help. I know there are newer versions but I'm not scheduled for an 
upgrade just yet, too many other irons in the fire right now.

The trigger in this case is

1d0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
1e0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC
1f0 : 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43   CCCCCCCCCCCCCCCC

for rule

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE 
x86 inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 
43 43 43 43 43 43 43 43 43|"; classtype:shellcode-detect; sid:1390; rev:3;)

Perhaps I can write a rule that will ignore the detect if the following 
items are in the file headers-

Content-Type: image/jpeg
and the string JFIF appears in the actual file header (for a web hosted jpg)

or in the case of Adobe generated (I'm assuming)

140 : E0 00 10 4A 46 49 46 00 01 02 00 00 64 00 64 00   ...JFIF.....d.d.
150 : 00 FF EC 00 11 44 75 63 6B 79 00 01 00 04 00 00   .....Ducky......
160 : 00 0C 00 00 FF EE 00 0E 41 64 6F 62 65 00 64 C0   ........Adobe.d.

But rather than do that, getting this to be stateful would be helpful. Any 
ideas welcomed. I'm not that experienced writing snort rules. Hopefully 
this is the proper forum for this content.


Curt Wilson
SIUC PSO LAN Administrator
618-453-1344
GSEC, GCFW





More information about the Snort-sigs mailing list