[Snort-users] Re: [Snort-sigs] RE: SHELLCODE rules

Detmar Liesen counter.spy at ...348...
Tue Jul 16 13:33:03 EDT 2002


Hi Matt, thanks for your reply.


>Furthermore, it's obvious you're using an older vintage of snort. Newer 
>releases of snort have this version:
>
>bash$ grep "SHELLCODE x86 NOOP" shellcode.rules
>alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE 
>x86 NOOP";
>content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; 
>reference:arachn
>ids,181; classtype:shellcode-detect; sid:648; rev:5;)
>alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE 
>x86 NOOP";
>content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|";

>classtyp
>e:shellcode-detect; sid:1394; rev:3;)
>
>and:
>
>bash$ grep SHELLCODE_PORTS snort.conf
>var SHELLCODE_PORTS !80

Yeah, this is true, I picked the rules from an older version on my desktop
:)
On our perimeter snort I have deployed the current ruleset, which is not
much 
better regarding Shellcode rules (but it's a lot better than the 1.8.6
default ruleset).

>Which isn't a whole lot better, but does help a little. Flows will 
>definitely help this out a lot, but that's not a mainstream-relase snort 
>feature yet. With flows you could do a TCP rule that only caught flows 
>where the machine inside your home_net was a server, not a client, and have

>separate rules for UDP and ICMP.

I am looking forward to deploying flow-rulesets in the next release, if this
will be
fully implemented then.

>Personally I'm currently running modified versions of the shellcode rules 
>that only monitor ports on machines in my DMZ which are public services. 
>This is a bit limited in protection, but it's also not likely to false (ie:

>shellcode in traffic to your public DNS server on port 53 is most likely a 
>real, live exploit attempt, especially if it is TCP/53.). I get some peace 
>of mind in having the "most likely targets" monitored without having to 
>remove the rule entirely due to high false rate.

Thanks for your input. I am realizing that there is still much for me to
learn in order to tune snort properly for optimal results. This is one thing
that I have learned from my thesis:
administration and tuning of an IDS is *much* work and not trivial.

Cheers,
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list