[Snort-sigs] Newbie question on traffic

Joshua Wright Joshua.Wright at ...196...
Mon Nov 24 05:16:06 EST 2003


> Is there any easy way to convert shellcode from an exploit to a sig for
> snort.  I just want to make sure that I'm correct in assuming that 
> something like 
> \xeb\x19\x5e\x31\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x99\x99\x99 
> should look like this in a packet dump
> eb 19 5e 31 c9 81 e9 a6 ff ff ff 81 36 99 99 99 

Not necessarily.  The shell code you are looking at may or may not traverse the network.  Your best bet is to setup a test box and try out the exploit (on a test network) using your favorite sniffer to capture the traffic between the hosts.  Then, take the information from the packet capture and carefully analyze the trace to identify a signature that will provide a true-positive rule match.  Then, test, test, test that rule before you put into a production sensor.

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at ...196... 

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

More information about the Snort-sigs mailing list