Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SHELLCODE x86 unicode NOOP

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 22 Apr 2002 13:20:25 +0000
On Mon, 22 Apr 2002 12:41:32 -0700
"Tony Wong" <tony.wong () stanford edu> wrote:


What are these in alerts? I get them when a user is transferring files
from one server to another. How can I stop them?


These alerts are from a signature intended to identify the "landing pad"
aka NOP sled a lot of exploits use.  It falses on x86 nop like codes that 
are often a part of GIFS.

One way to stop the falses is to use the more sophisticated spp_fnord nop
sled detector available on the cansecwest.com site (it is due for inclusion
in the up coming snort 1.9) and then disabling the more likely to false
and less complete nop rules in the ruleset.

cheers,
--dr

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: