[Snort-sigs] shell code rules

Matt Kettler mkettler at ...189...
Thu Nov 13 16:07:09 EST 2003


At 05:33 PM 11/13/2003, Russell Fulton wrote:
>I assert that this is incorrect and that the $SHELLCODE_PORTS should be
>on the source port, not the destination, since data returned in web
>pages will have a *source* port of 80.

Agreed wholeheartedly. All you'll wind up ignoring with the default 
configuration is HTTP requests to a server on your home network...

I guess if you have URI's that look like shellcode, this might make sense...

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.html 
would be a great way to trigger the x86 nop rule.. However, I suspect not 
many people have any filenames on their website which contain > 24 a's.







More information about the Snort-sigs mailing list