[Snort-sigs] shell code rules
mkettler at ...189...
Thu Nov 13 16:07:09 EST 2003
At 05:33 PM 11/13/2003, Russell Fulton wrote:
>I assert that this is incorrect and that the $SHELLCODE_PORTS should be
>on the source port, not the destination, since data returned in web
>pages will have a *source* port of 80.
Agreed wholeheartedly. All you'll wind up ignoring with the default
configuration is HTTP requests to a server on your home network...
I guess if you have URI's that look like shellcode, this might make sense...
would be a great way to trigger the x86 nop rule.. However, I suspect not
many people have any filenames on their website which contain > 24 a's.
More information about the Snort-sigs