Re: SHELLCODE Attacks

[Erwin Van de Velde <erwin.vandevelde () ua ac be>]

> *theoretically* I belive the intent is to not catch HTTP replies.. but the
> shellcode rules are completely broken the way they are written.
 Catching HTTP traffic could lead to to much false positives...

> Personally, I re-write these rules on a per-case basis for my uses. I have
> one copy of each rule monitor all accessible ports on all servers. (inbound
> to tcp/dns, tcp/smtp, tcp/http, etc)
This seems not so good to me... wouldn't it be better to check for shellcode 
attacks on all ports behind the firewall (except for HTTP perhaps)? This way 
you cannot forget a port that is open and the traffic on ports that are 
filtered by the firewall isn't there anymore anyway... Only people behind the 
firewall, sending 'strange traffic' on ports that are not open could result 
in extra shellcode attack warnings... but perhaps you should watch people on 
your network trying to access non-existing services... Not all the bad guys 
are on the outside, you know....



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users