[Snort-users] SHELLCODE Attacks

Jeff Nathan jeff at ...950...
Fri Dec 5 14:17:04 EST 2003

Hash: SHA1

On Dec 5, 2003, at 4:22 PM, Erwin Van de Velde wrote:

> This seems not so good to me... wouldn't it be better to check for 
> shellcode
> attacks on all ports behind the firewall (except for HTTP perhaps)? 
> This way
> you cannot forget a port that is open and the traffic on ports that are
> filtered by the firewall isn't there anymore anyway... Only people 
> behind the
> firewall, sending 'strange traffic' on ports that are not open could 
> result
> in extra shellcode attack warnings... but perhaps you should watch 
> people on
> your network trying to access non-existing services... Not all the bad 
> guys
> are on the outside, you know....

The reasons for excluding webserver ports are that certain binary data 
can resemble shellcode.  For example, a GIF color table can look like a 
NOP sled.  Also, if you're using curses over telnet, it can also 
resemble shellcode.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

Version: GnuPG v1.2.3 (Darwin)


More information about the Snort-users mailing list