[Snort-sigs] Re: More about shell code rules
curtw at ...2002...
Mon Nov 17 13:18:08 EST 2003
If the shellcode rules are dropped due to lack of interest from the general
snort population, then I'd be glad to help continue discussions on them
privately as I find them useful when tuned. Russell, I appreciate the
information here and I think I may have read your original message too
quickly which is why I was a bit confused.
I realize shellcode can be obfuscated with various tools such as ADMmutate
and others, but there are still plenty of attacks with generic shellcode
and NOP's floating about that I feel detection is worthwhile. Someone not
too long ago was talking about trying to create a detection engine for the
various shellcode mutation engines, not sure if anything happened on that
front. Didn't Dragos write some shellcode detector a while back? Has that
been rolled into snort proper? fnord I think was the name.
I'm also curious to hear others experiences and opinions regarding the
At 09:54 AM 11/18/2003 +1300, Russell Fulton wrote:
>On Tue, 2003-11-18 at 03:41, Curt Wilson wrote:
> > I'm happy to see discussion of the shellcode rules FP's, however in this
> > case it looks like you were getting targeted by a WebDAV exploit, I
> > believe. So the NOP's in this case were probably part of a legitimate NOP
> > sled. So the alert is probably accurate, I'm thinking.
>Oh yes, these are real exploits and that is my point. These exploits
>were missed by the rules in their 'official' form which ignore noops
>sent *to* Web servers.
>The thrust of my argument is that the rules in the shellcode.rules are
>wrong and that the $SHELLCODE_PORTS should be on the destination address
>not the source.
>My apologies if I did not make that clear.
> > How many destination
> > systems were probed with the exploit is probably making up the huge number
> > of alerts. If the "official" rules would ignore this based on port 80 not
> > receiving shellcode, then it's clear that in the interests of reducing
> > false positives that attacks using port 80 are clearly being missed.
>I was not actually complaining about the volume of alerts and although
>it would be nice to be able to limit the number of identical alerts I
>don't think that is really snort's job. That can be handled by post
>processing. (another field in Acid for number of identical alerts?)
> > There
> > has to be a way to tune these, perhaps with some thresholding or with some
> > type of reporting intelligence to aggregate the alerts instead of
> > generating a flood. I'm still relatively inexperienced with snort rules so
> > I don't have any bright ideas, yet. It seems that using flowto server
> > be useful for protecting your own systems but would not catch outbound
> > attacks. More reading/experimentation to do.
>I tried the flowto but if you do that then you need to double the number
>of rules (i.e. you need separate rules for TCP and UDP). BTDT :)
> > Thanks for exploring this area, Russell. I see enough shellcode out there
> > in exploits that I like the idea of detecting it, as long as we can
> > increase the accuracy.
>What do other feel about the shellcode rules?
>I believe that if no one is using them then they should be dropped from
>the distribution and those of us who want to play with them can put them
>in their local rules file (given the lack of interest in this thread tis
>may well be the case). If people do want to use then they should be
>changed so they are correct and therefore useful.
>Brian: I am happy to send in my amended copies of the rules for you to
>add into the distribution.
>Russell Fulton, Network Security Officer, The University of Auckland,
SIUC PSO LAN Administrator
More information about the Snort-sigs