Snort mailing list archives
Re: Tuning Signatures
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Mon, 15 Mar 2004 08:58:38 +0000
--On 13 March 2004 20:43 -0500 Jim Terry <jtixthus () excite com> wrote:
This is my first post to the list! I have Snort up and running and need help in understanding what the signature explanation is trying to tell me and what the rule categories mean. My background is more networking rather than programming or TCP/IP. It seems to me the rule explanations state plenty of coding information that does not mean too much to me. For instance NOOP. I take it NOOP is bad but it seems to pretty common.
NOOP isn't bad per se. In fact, NOOP is about as neutral as it gets, as NOOP is the assembly mnemonic for "no operation" on many common microprocessors, 80x86 inclusive.
What those signatures are looking for (mostly in shellcode.rules) is shellcode sequences, i.e. microprocessor- and OS-specific machine code that is sent to exploit a vulnerability (typically a buffer overflow, but could be other classes too) and give the attacker some kind of ability to execute commands on the target machine. Shellcode is typically padded with NOOPs in order that it works regardless of the exact state of the target process/machine.
What is the best document/book/man page to help in this matter? The Snort Users Manual did not do it for me.
<http://www.insecure.org/stf/smashstack.txt>, probably. If you have minimal programming experience (especially in machine code or assembly) you'll probably need to read it several times in order to get any kind of sense out of it. ;-)
Thank you! Jim Terry
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tuning Signatures Jim Terry (Mar 13)
- Re: Tuning Signatures AJ Butcher, Information Systems and Computing (Mar 15)
- Re: Tuning Signatures Tod Beardsley (Mar 15)
- Re: Tuning Signatures AJ Butcher, Information Systems and Computing (Mar 15)