[Snort-users] SHELLCODE Attacks

Matt Kettler mkettler at ...4108...
Fri Dec 5 13:39:00 EST 2003


At 04:22 PM 12/5/2003, Erwin Van de Velde wrote:
> > Personally, I re-write these rules on a per-case basis for my uses. I have
> > one copy of each rule monitor all accessible ports on all servers. (inbound
> > to tcp/dns, tcp/smtp, tcp/http, etc)
>This seems not so good to me... wouldn't it be better to check for shellcode
>attacks on all ports behind the firewall (except for HTTP perhaps)?

Yes, albeit you increase your false-alarm noise level. I use this strategy 
mostly to detect buffer overflow attacks against the DMZ servers.

>  but perhaps you should watch people on your network trying to access 
> non-existing services...

I do this and a whole lot more.. I use spade, which has this functionality 
built in. I also use many customized rules, and egress filtering at the 
firewall..

>  Not all the bad guys are on the outside, you know....

Agreed, even if all of your "insiders" are 100% trusted, one of them could 
have a worm.

Just because I stated that I use the shellcode rules one way doesn't mean I 
trust my inside network.

I also am intentionally vague when posting to the list. After all, I never 
said I don't look for outbound packets containing shellcode.. I merely 
stated that I DO look for it per-server on selected ports inbound and that 
I do that I copying and customize them for my own specifics.

My intent was to get them going on the idea of tweaking these rules, and 
provide some starting suggestions, without detailing my exact configuration 
enough to assist attackers.








More information about the Snort-users mailing list