[Snort-sigs] Re: More about shell code rules

Russell Fulton r.fulton at ...575...
Mon Nov 17 12:55:13 EST 2003

On Tue, 2003-11-18 at 03:41, Curt Wilson wrote:
> I'm happy to see discussion of the shellcode rules FP's, however in this 
> case it looks like you were getting targeted by a WebDAV exploit, I 
> believe. So the NOP's in this case were probably part of a legitimate NOP 
> sled. So the alert is probably accurate, I'm thinking.

Oh yes, these are real exploits and that is my point.  These exploits
were missed by the rules in their 'official' form which ignore noops
sent *to* Web servers.  

The thrust of my argument is that the rules in the shellcode.rules are
wrong and that the $SHELLCODE_PORTS should be on the destination address
not the source.

My apologies if I did not make that clear.

>  How many destination 
> systems were probed with the exploit is probably making up the huge number 
> of alerts. If the "official" rules would ignore this based on port 80 not 
> receiving shellcode, then it's clear that in the interests of reducing 
> false positives that attacks using port 80 are clearly being missed.

I was not actually complaining about the volume of alerts and although
it would be nice to be able to limit the number of identical alerts I
don't think that is really snort's job.  That can be handled by post
processing.  (another field in Acid for number of identical alerts?)

>  There 
> has to be a way to tune these, perhaps with some thresholding or with some 
> type of reporting intelligence to aggregate the alerts instead of 
> generating a flood. I'm still relatively inexperienced with snort rules so 
> I don't have any bright ideas, yet. It seems that using flowto server would 
> be useful for protecting your own systems but would not catch outbound 
> attacks. More reading/experimentation to do.

I tried the flowto but if you do that then you need to double the number
of rules (i.e. you need separate rules for TCP and UDP).  BTDT :)
> Thanks for exploring this area, Russell. I see enough shellcode out there 
> in exploits that I like the idea of detecting it, as long as we can 
> increase the accuracy.

What do other feel about the shellcode rules?  

I believe that if no one is using them then they should be dropped from
the distribution and those of us who want to play with them can put them
in their local rules file (given the lack of interest in this thread tis
may well be the case).  If people do want to use then they should be
changed so they are correct and therefore useful.

Brian: I am happy to send in my amended copies of the rules for you to
add into the distribution.

Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the Snort-sigs mailing list