Snort mailing list archives
Re: SHELLCODE x86 unicode NOOP
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 22 Apr 2002 13:09:42 -0700 (PDT)
On Mon, 22 Apr 2002, Tony Wong wrote:
What are these in alerts? I get them when a user is transferring files from one server to another. How can I stop them?
Well... First things first, let's look at the rule that triggered. alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 unicode NOOP"; content: "| 90009000900090009000|"; classtype:shellcode-detect; sid:653; rev:4;) [Extra space added between the | and 900 to prevent the rule from firing on the email...] Ok. This rule will fire if it sees the content "9000900090009000" (yes, one less set of 9000's to keep the rule from firing...) in an IP packet bound from outside your network to the inside of your network. Second: Consider the way the rule is written. "From outside on any port to inside on any port containing string X." So a user xfered a file with those characters in it. Did it come from outside your net on any port to the inside of your net on any port while containing X? Yep. So the rule matched and fired the alert. Now, how to stop them? Tell your users to stop transfering files that contain "X". That's not going to happen? Then either disable the rule or learn what/how would set the rules off and re-write it so that doesn't happen. Compressed files, images, even text email will set that off as long as there's that content.... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SHELLCODE x86 unicode NOOP Tony Wong (Apr 22)
- Re: SHELLCODE x86 unicode NOOP Erek Adams (Apr 22)
- Re: SHELLCODE x86 unicode NOOP Dragos Ruiu (Apr 22)