[Snort-sigs] shell code rules

Russell Fulton r.fulton at ...575...
Thu Nov 13 14:34:12 EST 2003


Hi All,
	All the rules in the shellcode file start of with:

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS 

Where $SHELLCODE_PORTS is typically !80 to ignore web pages with binary
material that causes false positives (FPs).

I assert that this is incorrect and that the $SHELLCODE_PORTS should be
on the source port, not the destination, since data returned in web
pages will have a *source* port of 80.   I first tried using flow:
to_server to force the matching to work in the right direction but this
failed because the protocol is 'ip' not 'tcp'.

I have been running with source of $SHELLCODE_PORTS and dest of any for
a couple of days now and this has reduced the number of FPs
dramatically.  You still get them from ftp transfers but they are way
down.

I don't treat alerts of these rules as significant on their own but they
are useful for finding out which machines have been attacked when you
have reconnaissance alert from the same address.

Can we please have these rules revised so they are more useful.

Cheers, Russell

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list