[Snort-users] SHELLCODE Attacks

Naman Latif naman.latif at ...10264...
Fri Dec 5 14:45:01 EST 2003


Thanks.
Modifying the Rules will be a good starting point for me.



-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: Friday, December 05, 2003 12:37 PM
To: Naman Latif; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] SHELLCODE Attacks

At 03:05 PM 12/5/2003, Naman Latif wrote:
>Does that mean that no SHELLCODE attacks exist for port 80 ?

Plenty of shellcode attacks exist for webservers.

*theoretically* I belive the intent is to not catch HTTP replies.. but
the 
shellcode rules are completely broken the way they are written.

Really you probably want to look for shellcode attacks with source-port 
!80.. instead of dest-port !80.

Personally, I re-write these rules on a per-case basis for my uses. I
have 
one copy of each rule monitor all accessible ports on all servers.
(inbound 
to tcp/dns, tcp/smtp, tcp/http, etc)





More information about the Snort-users mailing list