[Snort-sigs] shellcode false positives

Paul Tinsley jackhammer at ...2420...
Sun May 9 23:09:02 EDT 2004


What is the "right" way to exempt multiple ports from a class of
rules.  You can't comma separate ports...

The goal is probably easiest to lay out in almost valid snort syntax :)

Way i wish it worked: 
var ENCRYPTED_PORTS [22,443,993,995]

Then edit the shellcode rules to be like the following rule:
alert ip $EXTERNAL_NET any -> $HOME_NET !$ENCRYPTED_PORTS
(msg:"SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|";
reference:arachnids,284; classtype:system-call-detect; sid:649;
rev:6;)

Most if not all of my false positives for that set of rules is due to
it matching some crazy string in an SSH file transfer or an IMAPS
email session.  How do I accomplish the above in snort without a
crapload of pass rules?




More information about the Snort-sigs mailing list