Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] RE: SHELLCODE rules

From: Detmar Liesen <counter.spy () gmx de>
Date: Tue, 16 Jul 2002 22:32:01 +0200 (MEST)
Hi Matt, thanks for your reply.



Furthermore, it's obvious you're using an older vintage of snort. Newer 
releases of snort have this version:

bash$ grep "SHELLCODE x86 NOOP" shellcode.rules
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE 
x86 NOOP";
content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; 
reference:arachn
ids,181; classtype:shellcode-detect; sid:648; rev:5;)
alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE 
x86 NOOP";
content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|";



classtyp
e:shellcode-detect; sid:1394; rev:3;)

and:

bash$ grep SHELLCODE_PORTS snort.conf
var SHELLCODE_PORTS !80


Yeah, this is true, I picked the rules from an older version on my desktop
:)
On our perimeter snort I have deployed the current ruleset, which is not
much 
better regarding Shellcode rules (but it's a lot better than the 1.8.6
default ruleset).


Which isn't a whole lot better, but does help a little. Flows will 
definitely help this out a lot, but that's not a mainstream-relase snort 
feature yet. With flows you could do a TCP rule that only caught flows 
where the machine inside your home_net was a server, not a client, and have



separate rules for UDP and ICMP.


I am looking forward to deploying flow-rulesets in the next release, if this
will be
fully implemented then.


Personally I'm currently running modified versions of the shellcode rules 
that only monitor ports on machines in my DMZ which are public services. 
This is a bit limited in protection, but it's also not likely to false (ie:



shellcode in traffic to your public DNS server on port 53 is most likely a 
real, live exploit attempt, especially if it is TCP/53.). I get some peace 
of mind in having the "most likely targets" monitored without having to 
remove the rule entirely due to high false rate.


Thanks for your input. I am realizing that there is still much for me to
learn in order to tune snort properly for optimal results. This is one thing
that I have learned from my thesis:
administration and tuning of an IDS is *much* work and not trivial.

Cheers,
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: