[Snort-users] SHELLCODE Attacks
Erwin Van de Velde
erwin.vandevelde at ...10361...
Fri Dec 5 13:23:03 EST 2003
> *theoretically* I belive the intent is to not catch HTTP replies.. but the
> shellcode rules are completely broken the way they are written.
Catching HTTP traffic could lead to to much false positives...
> Personally, I re-write these rules on a per-case basis for my uses. I have
> one copy of each rule monitor all accessible ports on all servers. (inbound
> to tcp/dns, tcp/smtp, tcp/http, etc)
This seems not so good to me... wouldn't it be better to check for shellcode
attacks on all ports behind the firewall (except for HTTP perhaps)? This way
you cannot forget a port that is open and the traffic on ports that are
filtered by the firewall isn't there anymore anyway... Only people behind the
firewall, sending 'strange traffic' on ports that are not open could result
in extra shellcode attack warnings... but perhaps you should watch people on
your network trying to access non-existing services... Not all the bad guys
are on the outside, you know....
More information about the Snort-users