Snort mailing list archives
Re: SHELLCODE Attacks
From: Jeff Nathan <jeff () snort org>
Date: Fri, 5 Dec 2003 17:16:41 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 5, 2003, at 4:22 PM, Erwin Van de Velde wrote:
This seems not so good to me... wouldn't it be better to check for shellcode attacks on all ports behind the firewall (except for HTTP perhaps)? This wayyou cannot forget a port that is open and the traffic on ports that arefiltered by the firewall isn't there anymore anyway... Only people behind the firewall, sending 'strange traffic' on ports that are not open could result in extra shellcode attack warnings... but perhaps you should watch people on your network trying to access non-existing services... Not all the bad guysare on the outside, you know....
The reasons for excluding webserver ports are that certain binary data can resemble shellcode. For example, a GIF color table can look like a NOP sled. Also, if you're using curses over telnet, it can also resemble shellcode.
- -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/0QPOEqr8+Gkj0/0RArlyAJ99MXRgVkeuHB/AMdd8zcEeOxJolQCfWAzk n0Rlcb4X7+rly23bN2DhOeM= =iC5v -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SHELLCODE Attacks Naman Latif (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Erwin Van de Velde (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Jeff Nathan (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Erwin Van de Velde (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- <Possible follow-ups>
- RE: SHELLCODE Attacks Naman Latif (Dec 05)
- Windows 2000 Terminal Snort Issues Jim Robinson (Dec 05)