[Snort-users] SHELLCODE Attacks

Erwin Van de Velde erwin.vandevelde at ...10361...
Fri Dec 5 13:23:03 EST 2003

> *theoretically* I belive the intent is to not catch HTTP replies.. but the
> shellcode rules are completely broken the way they are written.
 Catching HTTP traffic could lead to to much false positives...

> Personally, I re-write these rules on a per-case basis for my uses. I have
> one copy of each rule monitor all accessible ports on all servers. (inbound
> to tcp/dns, tcp/smtp, tcp/http, etc)
This seems not so good to me... wouldn't it be better to check for shellcode 
attacks on all ports behind the firewall (except for HTTP perhaps)? This way 
you cannot forget a port that is open and the traffic on ports that are 
filtered by the firewall isn't there anymore anyway... Only people behind the 
firewall, sending 'strange traffic' on ports that are not open could result 
in extra shellcode attack warnings... but perhaps you should watch people on 
your network trying to access non-existing services... Not all the bad guys 
are on the outside, you know....

More information about the Snort-users mailing list