[Snort-sigs] Re: More about shell code rules

Russell Fulton r.fulton at ...575...
Mon Nov 17 14:25:02 EST 2003

On Tue, 2003-11-18 at 10:52, Brian wrote:

> > I was not actually complaining about the volume of alerts and although
> > it would be nice to be able to limit the number of identical alerts I
> > don't think that is really snort's job.  That can be handled by post
> > processing.  (another field in Acid for number of identical alerts?)
> thresholding does this.   
> threshold gen_id 1, sig_id 1424, type limit, track by_src, count 1, seconds 60

Thanks, I'll look into this, I'm out of touch with the recent
developments in snort, sigh...  I must get myself back on the
developer's list.
> > What do other feel about the shellcode rules?  
> I'm not thrilled with the idea of shellcode rules for years.  As we go
> forward I'm moving more and more away from writing rules that are
> hardcoded to a specific shellcode.

I agree in principle, but I still find generic shell code detects useful
in conjunction with other alerts.  With so many exposed machines I often
see attacks probes against 100+ systems, when I pull all alerts
associated with that source address I see 10 destinations that have
shell code detects too then I know which machines I need to take a
second look at.

> > Brian: I am happy to send in my amended copies of the rules for you to
> > add into the distribution.
> Nah, I know whats wrong and can modify rules without help, thanks
> though. :P

Would you please :)

BTW I did not mean to cast aspersions on your ability to make simple
changes to rules ;) just thought I might save you a few minutes work
with an editor.

Cheers, Russell

Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the Snort-sigs mailing list