Snort mailing list archives

Re: SHELLCODE Attacks

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Dec 2003 15:37:22 -0500

At 03:05 PM 12/5/2003, Naman Latif wrote:

Does that mean that no SHELLCODE attacks exist for port 80 ?


Plenty of shellcode attacks exist for webservers.

*theoretically* I belive the intent is to not catch HTTP replies.. but theshellcode rules are completely broken the way they are written.

Really you probably want to look for shellcode attacks with source-port!80.. instead of dest-port !80.

Personally, I re-write these rules on a per-case basis for my uses. I haveone copy of each rule monitor all accessible ports on all servers. (inboundto tcp/dns, tcp/smtp, tcp/http, etc)




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SHELLCODE Attacks Naman Latif (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
  - Re: SHELLCODE Attacks Erwin Van de Velde (Dec 05)
    - Re: SHELLCODE Attacks Matt Kettler (Dec 05)
    - Re: SHELLCODE Attacks Jeff Nathan (Dec 05)
    - Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- <Possible follow-ups>
- RE: SHELLCODE Attacks Naman Latif (Dec 05)
  - Windows 2000 Terminal Snort Issues Jim Robinson (Dec 05)