[Snort-sigs] More about shell code rules

Russell Fulton r.fulton at ...575...
Fri Nov 14 12:07:16 EST 2003


As I mentioned in my post yesterday I am now running with the
$SHELLCODE_PORTS o the source rather than destination ports in the
rules.

This morning I was surprised to fine over 10,000 "SHELLCODE x86 NOOP"
alerts. When I looked I found they were mostly from two source with a
*destination* port of 80 -- i.e. they would be discarded by the official
rules.  Examining the packets revealed:

length = 1460

000 : 53 45 41 52 43 48 20 2F 90 90 90 90 90 90 90 90   SEARCH /........
010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
...................
this was followed by 18 1500 byte packets of NOOPs.

About 70 different web servers were targetted with identical 'attacks'
from two sources in Europe, one in Poland and one in Kosovo.

I add this as more evidence that these rules should be changed.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list