[Snort-users] newbie: wondering about some alerts

Vitaly McLain twistah at ...93...
Fri Aug 11 00:46:05 EDT 2000


I am not sure how much you have delt with security, and so I don't know how
much detail to go into. Here is the basic idea of those alerts: Attackers
("hackers"/"crackers"/whatever) very commonly exploit holes in software know
as buffer overflows. Simply put, data is being put into a buffer that the
buffer can't handle, no bounds checking is done, and the program crashes
(yes I know that's a very 'simple' explanation :). Anyway, the idea is to
get that program to execute arbitrary code on your system to gain or elevate
privledges. Programs to exploit such holes are avalible all over the Net,
and so it is not hard for people with a C compiler to use them (check out
www.technotronic.com, packetstorm.securify.com and www.hack.co.za). The
'code' the programs execute on your system is called 'shellcode'. It
commonly contains 'NOP's, which are 0x90 in HEX. This is what Snort is
detecting: it sees some attacker is using an overflow attack against your
system. Snort doesn't neccesarily know what service he's trying to exploit
(ie ftpd, etc), but it can detect the possible presence of shellcode.
The alert "MISC - Shellcode X86 Setgid0" is slightly different in that it
detects shellcode specifically made to give attacker the group ID (gid) of 0

And, no post about buffer overflows can be complete without mentioning
Aleph1's classic paper on buffer overflows, "Smashing the Stack for Fun and
Profit." It was published in Phrack magazine, and you can find it there:
Note that an attacker does not have to know or understand that paper to
exploit such holes (most attackers are "script kiddys" and don't know much
about programming, etc.) They simply have to follow steps such as:

mysystem~$ gcc exploit.c -o exploit
mysystem~$ ./exploit host.i.want.to.attack
Connecting....sending shellcode...ROOT GAINED

Sometimes, it is as easy as that

I am rambling now, so I will stop the post here :)

Vitaly McLain
twistah at ...93...
[ note : a copy of this message has been sent to [snort-users] and the
original poster ]

More information about the Snort-users mailing list