RE: SHELLCODE Attacks

["Naman Latif" <naman.latif () inamed com>]

Thanks.
Modifying the Rules will be a good starting point for me.



-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Friday, December 05, 2003 12:37 PM
To: Naman Latif; snort-users () lists sourceforge net
Subject: Re: [Snort-users] SHELLCODE Attacks

At 03:05 PM 12/5/2003, Naman Latif wrote:
> Does that mean that no SHELLCODE attacks exist for port 80 ?

Plenty of shellcode attacks exist for webservers.

*theoretically* I belive the intent is to not catch HTTP replies.. but
the 
shellcode rules are completely broken the way they are written.

Really you probably want to look for shellcode attacks with source-port 
!80.. instead of dest-port !80.

Personally, I re-write these rules on a per-case basis for my uses. I
have 
one copy of each rule monitor all accessible ports on all servers.
(inbound 
to tcp/dns, tcp/smtp, tcp/http, etc)



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users