[Snort-sigs] Re: More about shell code rules

Curt Wilson curtw at ...2002...
Mon Nov 17 06:40:13 EST 2003


I'm happy to see discussion of the shellcode rules FP's, however in this 
case it looks like you were getting targeted by a WebDAV exploit, I 
believe. So the NOP's in this case were probably part of a legitimate NOP 
sled. So the alert is probably accurate, I'm thinking. How many destination 
systems were probed with the exploit is probably making up the huge number 
of alerts. If the "official" rules would ignore this based on port 80 not 
receiving shellcode, then it's clear that in the interests of reducing 
false positives that attacks using port 80 are clearly being missed. There 
has to be a way to tune these, perhaps with some thresholding or with some 
type of reporting intelligence to aggregate the alerts instead of 
generating a flood. I'm still relatively inexperienced with snort rules so 
I don't have any bright ideas, yet. It seems that using flowto server would 
be useful for protecting your own systems but would not catch outbound 
attacks. More reading/experimentation to do.

Thanks for exploring this area, Russell. I see enough shellcode out there 
in exploits that I like the idea of detecting it, as long as we can 
increase the accuracy.

Curt Wilson


At 08:27 PM 11/14/2003 -0800, snort-sigs-request at lists.sourceforge.net wrote:
>From: Russell Fulton <r.fulton at ...575...>
>To: snort-sigs <snort-sigs at lists.sourceforge.net>
>Date: Sat, 15 Nov 2003 09:06:21 +1300
>Subject: [Snort-sigs] More about shell code rules
>
>As I mentioned in my post yesterday I am now running with the
>$SHELLCODE_PORTS o the source rather than destination ports in the
>rules.
>
>This morning I was surprised to fine over 10,000 "SHELLCODE x86 NOOP"
>alerts. When I looked I found they were mostly from two source with a
>*destination* port of 80 -- i.e. they would be discarded by the official
>rules.  Examining the packets revealed:
>
>length = 1460
>
>000 : 53 45 41 52 43 48 20 2F 90 90 90 90 90 90 90 90   SEARCH /........
>010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
>020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
>030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
>040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
>050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
>...................
>this was followed by 18 1500 byte packets of NOOPs.
>
>About 70 different web servers were targetted with identical 'attacks'
>from two sources in Europe, one in Poland and one in Kosovo.
>
>I add this as more evidence that these rules should be changed.
>
>--
>Russell Fulton, Network Security Officer, The University of Auckland,
>New Zealand.

-----
Curt Wilson
SIUC PSO LAN Administrator
618-453-1344
GSEC, GCFW





More information about the Snort-sigs mailing list