Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SHELLCODE Attacks

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Dec 2003 16:39:39 -0500
At 04:22 PM 12/5/2003, Erwin Van de Velde wrote:

> Personally, I re-write these rules on a per-case basis for my uses. I have
> one copy of each rule monitor all accessible ports on all servers. (inbound
> to tcp/dns, tcp/smtp, tcp/http, etc)
This seems not so good to me... wouldn't it be better to check for shellcode
attacks on all ports behind the firewall (except for HTTP perhaps)?
Yes, albeit you increase your false-alarm noise level. I use this strategy mostly to detect buffer overflow attacks against the DMZ servers.
but perhaps you should watch people on your network trying to access non-existing services...
I do this and a whole lot more.. I use spade, which has this functionality built in. I also use many customized rules, and egress filtering at the firewall.. 


 Not all the bad guys are on the outside, you know....
Agreed, even if all of your "insiders" are 100% trusted, one of them could have a worm.
Just because I stated that I use the shellcode rules one way doesn't mean I trust my inside network.
I also am intentionally vague when posting to the list. After all, I never said I don't look for outbound packets containing shellcode.. I merely stated that I DO look for it per-server on selected ports inbound and that I do that I copying and customize them for my own specifics.
My intent was to get them going on the idea of tweaking these rules, and provide some starting suggestions, without detailing my exact configuration enough to assist attackers. 






-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: