[Snort-sigs] Re: More about shell code rules

Curt Wilson curtw at ...2002...
Mon Nov 17 13:18:08 EST 2003


If the shellcode rules are dropped due to lack of interest from the general 
snort population, then I'd be glad to help continue discussions on them 
privately as I find them useful when tuned. Russell, I appreciate the 
information here and I think I may have read your original message too 
quickly which is why I was a bit confused.

I realize shellcode can be obfuscated with various tools such as ADMmutate 
and others, but there are still plenty of attacks with generic shellcode 
and NOP's floating about that I feel detection is worthwhile. Someone not 
too long ago was talking about trying to create a detection engine for the 
various shellcode mutation engines, not sure if anything happened on that 
front. Didn't Dragos write some shellcode detector a while back? Has that 
been rolled into snort proper? fnord I think was the name.

I'm also curious to hear others experiences and opinions regarding the 
shellcode rules.

Thanks
Curt Wilson

At 09:54 AM 11/18/2003 +1300, Russell Fulton wrote:
>On Tue, 2003-11-18 at 03:41, Curt Wilson wrote:
> > I'm happy to see discussion of the shellcode rules FP's, however in this
> > case it looks like you were getting targeted by a WebDAV exploit, I
> > believe. So the NOP's in this case were probably part of a legitimate NOP
> > sled. So the alert is probably accurate, I'm thinking.
>
>Oh yes, these are real exploits and that is my point.  These exploits
>were missed by the rules in their 'official' form which ignore noops
>sent *to* Web servers.
>
>The thrust of my argument is that the rules in the shellcode.rules are
>wrong and that the $SHELLCODE_PORTS should be on the destination address
>not the source.
>
>My apologies if I did not make that clear.
>
>
> >  How many destination
> > systems were probed with the exploit is probably making up the huge number
> > of alerts. If the "official" rules would ignore this based on port 80 not
> > receiving shellcode, then it's clear that in the interests of reducing
> > false positives that attacks using port 80 are clearly being missed.
>
>I was not actually complaining about the volume of alerts and although
>it would be nice to be able to limit the number of identical alerts I
>don't think that is really snort's job.  That can be handled by post
>processing.  (another field in Acid for number of identical alerts?)
>
> >  There
> > has to be a way to tune these, perhaps with some thresholding or with some
> > type of reporting intelligence to aggregate the alerts instead of
> > generating a flood. I'm still relatively inexperienced with snort rules so
> > I don't have any bright ideas, yet. It seems that using flowto server 
> would
> > be useful for protecting your own systems but would not catch outbound
> > attacks. More reading/experimentation to do.
>
>I tried the flowto but if you do that then you need to double the number
>of rules (i.e. you need separate rules for TCP and UDP).  BTDT :)
> >
> > Thanks for exploring this area, Russell. I see enough shellcode out there
> > in exploits that I like the idea of detecting it, as long as we can
> > increase the accuracy.
>
>What do other feel about the shellcode rules?
>
>I believe that if no one is using them then they should be dropped from
>the distribution and those of us who want to play with them can put them
>in their local rules file (given the lack of interest in this thread tis
>may well be the case).  If people do want to use then they should be
>changed so they are correct and therefore useful.
>
>Brian: I am happy to send in my amended copies of the rules for you to
>add into the distribution.
>
>--
>Russell Fulton, Network Security Officer, The University of Auckland,
>New Zealand.

-----
Curt Wilson
SIUC PSO LAN Administrator
618-453-1344
GSEC, GCFW





More information about the Snort-sigs mailing list