[Snort-sigs] shell code rules
r.fulton at ...575...
Thu Nov 13 14:34:12 EST 2003
All the rules in the shellcode file start of with:
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS
Where $SHELLCODE_PORTS is typically !80 to ignore web pages with binary
material that causes false positives (FPs).
I assert that this is incorrect and that the $SHELLCODE_PORTS should be
on the source port, not the destination, since data returned in web
pages will have a *source* port of 80. I first tried using flow:
to_server to force the matching to work in the right direction but this
failed because the protocol is 'ip' not 'tcp'.
I have been running with source of $SHELLCODE_PORTS and dest of any for
a couple of days now and this has reduced the number of FPs
dramatically. You still get them from ftp transfers but they are way
I don't treat alerts of these rules as significant on their own but they
are useful for finding out which machines have been attacked when you
have reconnaissance alert from the same address.
Can we please have these rules revised so they are more useful.
Russell Fulton, Network Security Officer, The University of Auckland,
More information about the Snort-sigs