Snort mailing list archives
Re: proper usage of $SHELLCODE_PORTS ?
From: Jon Hart <jhart () ccs neu edu>
Date: Mon, 22 Apr 2002 08:11:24 -0400
Nope. snort 1.8 doesn't support variable ports like that. snort only supports ranges, single ports, not ranges, and not single ports.
Thats what I was thinking after most of the obvious port declarations failed or didn't work as expected. Just using !80 still gives me far to many false positives, so I'm brewing up some work arounds. First I thought that I could have N shellcode.rules files in which each would have SHELLCODE_PORTS defined as excluding a single port. Then sanity set in and I knew that wouldn't work. I think if I use 'pass' rules with '-o', I could probably hack up a workaround. i.e., <begin 80+ character paste> pass ip $EXTERNAL_NET any -> $HOME_NET !80 (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) pass ip $EXTERNAL_NET any -> $HOME_NET !119 (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) pass ip $EXTERNAL_NET any -> $HOME_NET !515 (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) pass ip $EXTERNAL_NET any -> $HOME_NET !9100 (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) ...or something like that. I haven't used pass rules in a while, so it will take some fighting to get it to work. Of course, I'll run another snort process dedicated to shellcode only which will run with '-o' and the crackedup rules listed above. I am willing to take the performance hit if it means I can still detect shellcode _and_ keep the thousands of false positives down that I'd get otherwise. I suppose that I could just fire up another snort process and weed out the noisy ports with a bpf filter on the command line. If that will work, I'm sure it'd be far more resource-friendly than the first method. Thoughts? Thanks again, -jon
This is scheduled to be modified (Andrew is working on it IIRC) so we can have arbitrary port declaration, but I think it is on the 2.0 todo list, not 1.9 -brian
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- <Possible follow-ups>
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 21)
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- Message not available
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 22)
- Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- Re: proper usage of $SHELLCODE_PORTS ? Martin Roesch (Apr 22)
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 22)