Snort mailing list archives
Re: question about finding out about traffic
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 26 Apr 2002 16:46:01 -0400
Your first-place to go should be here: http://www.snort.org/snort-db/ enter the SID and search.If there isn't much good information yet, check the reference links (if those are populated).
648 does not yet have a full description, but does have an arachnids reference link with good information.
You can also try digging through the archives of the snort-sigs mailing list, which for SID 648 yields this submission that has not yet made it to the web database. (I searched my local archive, since I subscribe, but I believe there is a web archive).
-- Rule: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;) -- Sid: 648 -- Summary: A series of NOP instructions for Intel's x86 architecure was detected. -- Impact: As part of an attack on a remote service, an attacker may attempt to take advantage of insecure coding practices in hopes of executing arbitrary code. This procedure generally makes use of NOPs. -- Detailed Information: The NOP allows an attacker to fill an address space with a large number of NOPs followed by his or her code of choice. This allows "sledding" into the attackers shellcode. -- Attack Scenarios: If a particular service was written using unsafe functions without bounds checking (strcpy(), strcat(), sprintf() etc...), it is possible to write arbitrary data to the address space of the service. Normally, this may just cause the program to die a horrible death. However, if you can get the return address to point to the beginning of the newly written data, it is possible to execute code of your choice. This requires that the newly written data is actual executable data. Since calculating exactly where the return address may point to is no small task, a popular technique is to pad the space leading up to your shellcode with NOPs. This way, if the return address points anywhere in the series of NOPS, execution will slide down into your shellcode. -- Ease of Attack: Not-so trivial. This particular technique requires a knowledge of x86 assembly coding, memory, and usually an intimate understanding of the code that one is attempting to exploit. Unfortunately, there are hundreds upon hundreds of canned exploits that nearly anyone with the ability point-and-click can use and wreak havok with. -- False Positives: Many. The x86 NOP can frequently be found in day-to-day traffic, particularly when transfering large files. -- False Negatives: Few. There are other techniques to emulate a NOP. Additionally, if the attackers NOP sled is small enough (< 15), this particular attack may slip by. Fortunately, NOP sleds are generally quite large. -- Corrective Action: Determine if this NOP was part of an attack or simply part of an innocent stream of data. -- Contributors: Jon Hart <jhart () ccs neu edu> -- Additional References: (aleph1's classic article from Phrack?) At 02:26 PM 4/26/2002 -0500, Taylor Lewick wrote:
Once I look through a log file and find something I want to investigate more, where do I go to find out more information about what I am seeing, (besides the internet obviously)For instance, I am seeing a bunch of shellcode x86 NOOP [**] traffic, from one box to another on our network, so I assume nothing too bad is going on. But how do I find out more about this specific traffic stream, i.e. sid of 648 in shellcodes.rules... Meaning, if this was a real attack, what kind of attack is it and what kinds of things is it used to do...Thanks, Taylor Taylor Lewick Unix System Administrator Fortis Benefits 816 881 6073 "Help Wanted. Seeking Telepath..." "You Know where to apply." **************************************************************** Please Note The information in this E-mail message is legally privileged and confidential information intended only for the use of the individual(s) named above. If you, the reader of this message, are not the intended recipient, you are hereby notified that you should not further disseminate, distribute, or forward this E-mail message. If you have received this E-mail in error, please notify the sender. Thank you ***************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question about finding out about traffic Taylor Lewick (Apr 26)
- Re: question about finding out about traffic Matt Kettler (Apr 26)