[Snort-users] SHELLCODE Attacks
mkettler at ...4108...
Fri Dec 5 12:36:07 EST 2003
At 03:05 PM 12/5/2003, Naman Latif wrote:
>Does that mean that no SHELLCODE attacks exist for port 80 ?
Plenty of shellcode attacks exist for webservers.
*theoretically* I belive the intent is to not catch HTTP replies.. but the
shellcode rules are completely broken the way they are written.
Really you probably want to look for shellcode attacks with source-port
!80.. instead of dest-port !80.
Personally, I re-write these rules on a per-case basis for my uses. I have
one copy of each rule monitor all accessible ports on all servers. (inbound
to tcp/dns, tcp/smtp, tcp/http, etc)
More information about the Snort-users