Re: where can i find out the meaning (stealth nop)

[Matt Kettler <mkettler () evi-inc com>]

Well, if you intend to take IDS seriously.. don't use the vision ruleset. 
It's not been maintained since 8/21/2001, which is ancient in the IDS world.

The default ruleset that comes with snort is by far more current, Get snort 
1.8.6, and use it's ruleset.

Some of the rules in the default snort ruleset have documentation at the 
snort.org website (last item in the left column "signature documentation"). 
Which is a good first-try place to look. Unfortunately it seems that only 
the search by SID feature works for now, and there's no docs written for 
the steath-nop one yet..

briefly, here's my own interpretation of stealth-nop (yes, I'll clean up 
the formatting and submit this to snort-sigs later, I'm not being paid as I 
write this, and have work to do :)


SID:
651

Summary:
Binary data in an IP packet matched one kind of byte sequence used as 
filler in buffer overflow attacks.

Impact:
It is possible someone was attempting to buffer overflow and gain 
unauthorized access to one of your servers

Detailed Information:
This rule triggers when a binary pattern appears in any IP packet contents 
which matches one form of filler-byte used in buffer overflow attacks. 
Buffer overflows allow execution of arbitrary code with the privlege level 
of the affected server process. A very detailed discussion of how basic 
buffer overflows work can be found in the text of "Smashing the stack for 
fun and profit" by Aleph One in Phrack #49. A simple web search will reveal 
several sources of this document, one of which is 
http://online.securityfocus.com/library/14.


Attack Scenarios:
If the attacker suspects you have a server which is vulnerable to buffer 
overflow, they will attempt to exploit this vulnerability to gain access.


Ease of attack:
Tools that use buffer overflows with stealth nop are widely available.

False positives:
This byte pattern can naturally occur in almost any binary data, so file 
downloads, streaming media, etc can cause this to false positive. If this 
traffic appears to be coming from a web or ftp server outside your network 
to one of your client machines, it is likely a false alert caused by 
someone downloading a binary file. If this was directed at a port on one of 
your machines which is running a server process, you may want to check to 
see if it has been exploited.




At 01:59 PM 4/9/2002 +0200, Fuchs Bernhard wrote:
> Hi all!
>
> I downloaded the Vision17 ruleset. but i cant find discriptions about what
> messages mean!
> where can i find out about, does anyone know??? I try to read me thru all
> the stuff but well, time is rare:-)
> I whant to learn IDS seriously!!!
> Is there a knowledge base???
>
>
> shellcode_shellcode-x86-stealth-nop


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users