[Snort-sigs] Re: More about shell code rules

Brian bmc at ...95...
Mon Nov 17 13:53:18 EST 2003

On Tue, Nov 18, 2003 at 09:54:23AM +1300, Russell Fulton wrote:
> The thrust of my argument is that the rules in the shellcode.rules are
> wrong and that the $SHELLCODE_PORTS should be on the destination address
> not the source.

Yeah, that was a mistake on my part.

> I was not actually complaining about the volume of alerts and although
> it would be nice to be able to limit the number of identical alerts I
> don't think that is really snort's job.  That can be handled by post
> processing.  (another field in Acid for number of identical alerts?)

thresholding does this.   

threshold gen_id 1, sig_id 1424, type limit, track by_src, count 1, seconds 60

> What do other feel about the shellcode rules?  

I'm not thrilled with the idea of shellcode rules for years.  As we go
forward I'm moving more and more away from writing rules that are
hardcoded to a specific shellcode.

> I believe that if no one is using them then they should be dropped from
> the distribution and those of us who want to play with them can put them
> in their local rules file (given the lack of interest in this thread tis
> may well be the case).  If people do want to use then they should be
> changed so they are correct and therefore useful.

Some people use them, which is why they are still there.  They are
just off by default since the rest of us don't want to bother with

> Brian: I am happy to send in my amended copies of the rules for you to
> add into the distribution.

Nah, I know whats wrong and can modify rules without help, thanks
though. :P


More information about the Snort-sigs mailing list