Snort mailing list archives

Re: proper usage of $SHELLCODE_PORTS ?

From: Jon Hart <jhart () ccs neu edu>
Date: Mon, 22 Apr 2002 08:11:24 -0400

Nope.  snort 1.8 doesn't support variable ports like that.  snort only
supports ranges, single ports, not ranges, and not single ports.


Thats what I was thinking after most of the obvious port declarations
failed or didn't work as expected.  Just using !80 still gives me far to
many false positives, so I'm brewing up some work arounds.

First I thought that I could have N shellcode.rules files in which each
would have SHELLCODE_PORTS defined as excluding a single port.  Then sanity
set in and I knew that wouldn't work.  I think if I use 'pass' rules with
'-o', I could probably hack up a workaround.  i.e.,

<begin 80+ character paste>

pass ip $EXTERNAL_NET any -> $HOME_NET !80 (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:5;)

pass ip $EXTERNAL_NET any -> $HOME_NET !119 (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:5;)

pass ip $EXTERNAL_NET any -> $HOME_NET !515 (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:5;)

pass ip $EXTERNAL_NET any -> $HOME_NET !9100 (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:5;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-detect; sid:650; rev:5;)

...or something like that.  I haven't used pass rules in a while, so it
will take some fighting to get it to work.  Of course, I'll run another
snort process dedicated to shellcode only which will run with '-o' and the
crackedup rules listed above.  I am willing to take the performance hit if
it means I can still detect shellcode _and_ keep the thousands of false
positives down that I'd get otherwise.

I suppose that I could just fire up another snort process and weed out the
noisy ports with a bpf filter on the command line.  If that will work, I'm
sure it'd be far more resource-friendly than the first method.

Thoughts?

Thanks again,

-jon

This is scheduled to be modified (Andrew is working on it IIRC) so we
can have arbitrary port declaration, but I think it is on the 2.0 todo
list, not 1.9

-brian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
- <Possible follow-ups>
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 21)
  - Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 21)
    - Message not available
    - Re: proper usage of $SHELLCODE_PORTS ? Jon Hart (Apr 22)
  - Re: proper usage of $SHELLCODE_PORTS ? Martin Roesch (Apr 22)
- RE: proper usage of $SHELLCODE_PORTS ? larosa, vjay (Apr 22)