[Snort-users] Re: [Snort-sigs] RE: SHELLCODE rules

Detmar Liesen counter.spy at ...348...
Tue Jul 16 13:33:03 EDT 2002

Hi Matt, thanks for your reply.

>Furthermore, it's obvious you're using an older vintage of snort. Newer 
>releases of snort have this version:
>bash$ grep "SHELLCODE x86 NOOP" shellcode.rules
>x86 NOOP";
>content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; 
>ids,181; classtype:shellcode-detect; sid:648; rev:5;)
>x86 NOOP";
>content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|";

>e:shellcode-detect; sid:1394; rev:3;)
>bash$ grep SHELLCODE_PORTS snort.conf

Yeah, this is true, I picked the rules from an older version on my desktop
On our perimeter snort I have deployed the current ruleset, which is not
better regarding Shellcode rules (but it's a lot better than the 1.8.6
default ruleset).

>Which isn't a whole lot better, but does help a little. Flows will 
>definitely help this out a lot, but that's not a mainstream-relase snort 
>feature yet. With flows you could do a TCP rule that only caught flows 
>where the machine inside your home_net was a server, not a client, and have

>separate rules for UDP and ICMP.

I am looking forward to deploying flow-rulesets in the next release, if this
will be
fully implemented then.

>Personally I'm currently running modified versions of the shellcode rules 
>that only monitor ports on machines in my DMZ which are public services. 
>This is a bit limited in protection, but it's also not likely to false (ie:

>shellcode in traffic to your public DNS server on port 53 is most likely a 
>real, live exploit attempt, especially if it is TCP/53.). I get some peace 
>of mind in having the "most likely targets" monitored without having to 
>remove the rule entirely due to high false rate.

Thanks for your input. I am realizing that there is still much for me to
learn in order to tune snort properly for optimal results. This is one thing
that I have learned from my thesis:
administration and tuning of an IDS is *much* work and not trivial.


GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list