Re: SHELLCODE x86 unicode NOOP

[Erek Adams <erek () theadamsfamily net>]

On Mon, 22 Apr 2002, Tony Wong wrote:

> What are these in alerts? I get them when a user is transferring files from
> one server to another. How can I stop them?

Well...  First things first, let's look at the rule that triggered.


alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 unicode NOOP";
content: "| 90009000900090009000|"; classtype:shellcode-detect; sid:653;
rev:4;)

[Extra space added between the | and 900 to prevent the rule from firing on
the email...]

Ok.  This rule will fire if it sees the content "9000900090009000" (yes, one
less set of 9000's to keep the rule from firing...) in an IP packet bound from
outside your network to the inside of your network.

Second:  Consider the way the rule is written.  "From outside on any port to
inside on any port containing string X."  So a user xfered a file with those
characters in it.  Did it come from outside your net on any port to the inside
of your net on any port while containing X?  Yep.  So the rule matched and
fired the alert.

Now, how to stop them?  Tell your users to stop transfering files that contain
"X".  That's not going to happen?  Then either disable the rule or learn
what/how would set the rules off and re-write it so that doesn't happen.

Compressed files, images, even text email will set that off as long as there's
that content....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users