[Snort-users] SHELLCODE Attacks

Matt Kettler mkettler at ...4108...
Fri Dec 5 14:38:01 EST 2003


At 05:16 PM 12/5/2003,  Jeff wrote:
>The reasons for excluding webserver ports are that certain binary data can 
>resemble shellcode.  For example, a GIF color table can look like a NOP 
>sled.  Also, if you're using curses over telnet, it can also resemble 
>shellcode.

Agreed... And for reference, even though the ruleset in snort 2.0.5 is 
broken (ie: http exclusion on the wrong side) this appears to be fixed in 
snortrules-current and snortrules-stable, on the website.





More information about the Snort-users mailing list