[Snort-users] SHELLCODE Attacks

Naman Latif naman.latif at ...10264...
Fri Dec 5 14:45:01 EST 2003

Modifying the Rules will be a good starting point for me.

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: Friday, December 05, 2003 12:37 PM
To: Naman Latif; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] SHELLCODE Attacks

At 03:05 PM 12/5/2003, Naman Latif wrote:
>Does that mean that no SHELLCODE attacks exist for port 80 ?

Plenty of shellcode attacks exist for webservers.

*theoretically* I belive the intent is to not catch HTTP replies.. but
shellcode rules are completely broken the way they are written.

Really you probably want to look for shellcode attacks with source-port 
!80.. instead of dest-port !80.

Personally, I re-write these rules on a per-case basis for my uses. I
one copy of each rule monitor all accessible ports on all servers.
to tcp/dns, tcp/smtp, tcp/http, etc)

More information about the Snort-users mailing list