Re: SHELLCODE Attacks

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Dec 5, 2003, at 4:22 PM, Erwin Van de Velde wrote:

> This seems not so good to me... wouldn't it be better to check for 
> shellcode
> attacks on all ports behind the firewall (except for HTTP perhaps)? 
> This way
> you cannot forget a port that is open and the traffic on ports that are
> filtered by the firewall isn't there anymore anyway... Only people 
> behind the
> firewall, sending 'strange traffic' on ports that are not open could 
> result
> in extra shellcode attack warnings... but perhaps you should watch 
> people on
> your network trying to access non-existing services... Not all the bad 
> guys
> are on the outside, you know....

The reasons for excluding webserver ports are that certain binary data 
can resemble shellcode.  For example, a GIF color table can look like a 
NOP sled.  Also, if you're using curses over telnet, it can also 
resemble shellcode.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/0QPOEqr8+Gkj0/0RArlyAJ99MXRgVkeuHB/AMdd8zcEeOxJolQCfWAzk
n0Rlcb4X7+rly23bN2DhOeM=
=iC5v
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users