[Snort-users] SHELLCODE Attacks

Jeff Nathan jeff at ...950...
Fri Dec 5 14:17:04 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Dec 5, 2003, at 4:22 PM, Erwin Van de Velde wrote:

> This seems not so good to me... wouldn't it be better to check for 
> shellcode
> attacks on all ports behind the firewall (except for HTTP perhaps)? 
> This way
> you cannot forget a port that is open and the traffic on ports that are
> filtered by the firewall isn't there anymore anyway... Only people 
> behind the
> firewall, sending 'strange traffic' on ports that are not open could 
> result
> in extra shellcode attack warnings... but perhaps you should watch 
> people on
> your network trying to access non-existing services... Not all the bad 
> guys
> are on the outside, you know....

The reasons for excluding webserver ports are that certain binary data 
can resemble shellcode.  For example, a GIF color table can look like a 
NOP sled.  Also, if you're using curses over telnet, it can also 
resemble shellcode.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/0QPOEqr8+Gkj0/0RArlyAJ99MXRgVkeuHB/AMdd8zcEeOxJolQCfWAzk
n0Rlcb4X7+rly23bN2DhOeM=
=iC5v
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list