Snort mailing list archives
Re: [Snort-sigs] RE: SHELLCODE rules
From: Detmar Liesen <counter.spy () gmx de>
Date: Tue, 16 Jul 2002 22:32:01 +0200 (MEST)
Hi Matt, thanks for your reply.
Furthermore, it's obvious you're using an older vintage of snort. Newer releases of snort have this version: bash$ grep "SHELLCODE x86 NOOP" shellcode.rules alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachn ids,181; classtype:shellcode-detect; sid:648; rev:5;) alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|";
classtyp e:shellcode-detect; sid:1394; rev:3;) and: bash$ grep SHELLCODE_PORTS snort.conf var SHELLCODE_PORTS !80
Yeah, this is true, I picked the rules from an older version on my desktop :) On our perimeter snort I have deployed the current ruleset, which is not much better regarding Shellcode rules (but it's a lot better than the 1.8.6 default ruleset).
Which isn't a whole lot better, but does help a little. Flows will definitely help this out a lot, but that's not a mainstream-relase snort feature yet. With flows you could do a TCP rule that only caught flows where the machine inside your home_net was a server, not a client, and have
separate rules for UDP and ICMP.
I am looking forward to deploying flow-rulesets in the next release, if this will be fully implemented then.
Personally I'm currently running modified versions of the shellcode rules that only monitor ports on machines in my DMZ which are public services. This is a bit limited in protection, but it's also not likely to false (ie:
shellcode in traffic to your public DNS server on port 53 is most likely a real, live exploit attempt, especially if it is TCP/53.). I get some peace of mind in having the "most likely targets" monitored without having to remove the rule entirely due to high false rate.
Thanks for your input. I am realizing that there is still much for me to learn in order to tune snort properly for optimal results. This is one thing that I have learned from my thesis: administration and tuning of an IDS is *much* work and not trivial. Cheers, Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-sigs] RE: SHELLCODE rules Detmar Liesen (Jul 16)