[Snort-users] SHELLCODE Attacks

Matt Kettler mkettler at ...4108...
Fri Dec 5 12:36:07 EST 2003


At 03:05 PM 12/5/2003, Naman Latif wrote:
>Does that mean that no SHELLCODE attacks exist for port 80 ?

Plenty of shellcode attacks exist for webservers.

*theoretically* I belive the intent is to not catch HTTP replies.. but the 
shellcode rules are completely broken the way they are written.

Really you probably want to look for shellcode attacks with source-port 
!80.. instead of dest-port !80.

Personally, I re-write these rules on a per-case basis for my uses. I have 
one copy of each rule monitor all accessible ports on all servers. (inbound 
to tcp/dns, tcp/smtp, tcp/http, etc)





More information about the Snort-users mailing list