Snort mailing list archives
Re: alert 1394 shellcode x86 inc ecx noop
From: Matt Olney <molney () sourcefire com>
Date: Sun, 13 Mar 2011 18:06:02 -0400
Actually, looking at this rule (I was going to bug it), the ports solution won't work: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; classtype:shellcode-detect; sid:1394; rev:12;) Because its an IP rule, it ignores port vars. Um....if you're going to do what Nigel suggest, covert it to a TCP rule and then use the SHELLCODE ports. I think we'll probably look at providing both an IP and a TCP rule. If I were forced to make a decision, I'd take the relatively low risk of missing a shellcode on non-TCP traffic and avoiding the high-degree of FP that these can cause on web traffic. But we'll probably provide both and default disable the ip one. It will go in the research cue for evaluation. Bugged for review: 85925 Matt On Sat, Mar 12, 2011 at 10:06 AM, Nigel Houghton <nhoughton () sourcefire com> wrote:
On Fri, 11 Mar 2011 22:23:12 -0600, Michael Lubinski wrote:This seems like one of those rules that you have to significantly tune in order to get some usefulness out of it. This is a few payloads its triggering on. My guess is that I just have to start filtering via threshold.conf. 000 : 75 6D 2E 63 6F 6D 2F 63 6C 6B 3F 32 2C 31 33 3B um.com/clk?2,13; 010 : 38 62 32 32 31 66 61 61 63 66 35 33 61 36 62 30 8b221faacf53a6b0 020 : 3B 31 32 65 61 37 33 30 61 33 61 36 2C 30 3B 3B ;12ea730a3a6,0;; 030 : 3B 32 33 32 32 36 33 36 31 39 39 2C 70 77 39 63 ;2322636199,pw9c 040 : 41 4D 4B 63 46 77 43 6F 35 59 41 41 41 41 41 41 AMKcFwCo5YAAAAAA 050 : 41 4B 32 68 49 41 41 41 41 41 41 41 41 41 42 73 AK2hIAAAAAAAAABs 060 : 41 41 59 41 41 41 41 41 41 41 55 41 41 51 41 47 AAYAAAAAAAUAAQAG 070 : 45 68 2D 76 4A 41 41 41 41 41 41 41 54 50 49 71 Eh-vJAAAAAAATPIq 080 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 090 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0a0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0b0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0c0 : 41 41 41 41 41 41 41 7A 5A 41 38 41 41 41 41 41 AAAAAAAzZA8AAAAA 0d0 : 41 41 49 41 41 67 41 41 41 41 41 41 70 71 4D 77 AAIAAgAAAAAApqMw 0e0 : 70 79 34 42 41 41 41 41 41 41 41 41 41 47 56 6D py4BAAAAAAAAAGVm 0f0 : 4D 54 52 6C 4E 7A 63 77 4C 54 52 6A 4D 7A 51 74 MTRlNzcwLTRjMzQt 100 : 4D 54 46 6C 4D 43 31 68 4E 7A 59 78 4C 54 41 77 MTFlMC1hNzYxLTAw 110 : 4D 7A 41 30 4F 47 51 33 4D 57 55 77 4D 41 41 34 MzA0OGQ3MWUwMAA4 120 : 6E 79 6F 41 41 41 41 3D 2C 2C 68 74 74 70 3A 2F nyoAAAA=,,http:/ 130 : 2F 69 6E 74 65 72 61 63 74 69 76 65 73 2E 66 6F /interactives.fo 140 : 78 31 31 6F 6E 6C 69 6E 65 2E 63 6F 6D 2F 70 68 x11online.com/ph 150 : 6F 74 6F 6D 6F 6A 6F 2F 67 61 6C 6C 65 72 79 2F otomojo/gallery/ 160 : 31 32 35 2F 35 32 2F 6A 61 70 61 6E 2D 71 75 61 125/52/japan-qua 170 : 6B 65 2D 73 70 61 77 6E 73 2D 74 73 75 6E 61 6D ke-spawns-tsunam 180 : 69 2F 73 75 72 66 65 72 2F 2C 68 74 74 70 3A 2F i/surfer/,http:/ 190 : 2F 61 6C 74 66 61 72 6D 2E 6D 65 64 69 61 70 6C /altfarm.mediapl 1a0 : 65 78 2E 63 6F 6D 2F 61 64 2F 63 6B 2F 31 32 33 ex.com/ad/ck/123 1b0 : 30 39 2D 31 32 32 35 31 35 2D 31 38 34 33 2D 38 09-122515-1843-8 1c0 : 3F 6D 70 74 3D 31 32 39 39 38 38 35 31 30 36 5C ?mpt=1299885106\ 1d0 : 22 20 74 61 72 67 65 74 3D 5C 22 5F 62 6C 61 6E " target=\"_blan 1e0 : 6B 5C 22 3E 3C 69 6D 67 20 73 72 63 3D 5C 22 68 k\"><img src=\"h 1f0 : 74 74 70 3A 2F 2F 69 6D 67 2D 63 64 6E 2E 6D 65 ttp://img-cdn.me 200 : 64 69 61 70 6C 65 78 2E 63 6F 6D 2F 30 2F 31 32 diaplex.com/0/12 210 : 33 30 39 2F 31 32 32 35 31 35 2F 31 33 34 32 30 309/122515/13420 220 : 36 35 5F 43 4F 4E 5F 31 32 30 31 30 32 5F 53 59 65_CON_120102_SY 230 : 53 5F 41 43 43 5F 53 54 52 45 41 4B 5F 37 5F 42 S_ACC_STREAK_7_B 240 : 41 5F 54 4D 4F 42 49 4C 45 5F 37 32 38 78 39 30 A_TMOBILE_728x90 250 : 5F 50 52 49 43 45 2E 6A 70 67 5C 22 20 77 69 64 _PRICE.jpg\" wid 260 : 74 68 3D 5C 22 37 32 38 5C 22 20 68 65 69 67 68 th=\"728\" heigh 270 : 74 3D 5C 22 39 30 5C 22 20 62 6F 72 64 65 72 3D t=\"90\" border= 280 : 5C 22 30 5C 22 20 61 6C 74 3D 5C 22 5C 22 3E 3C \"0\" alt=\"\">< 290 : 2F 61 3E 22 29 3B 0D 0A 7D 0D 0A 7D 0D 0A 4D 65 /a>");..}..}..Me 2a0 : 64 69 61 70 6C 65 78 46 6C 61 73 68 41 4F 4C 28 diaplexFlashAOL( 2b0 : 29 3B 0D 0A 2F 2F 2D 2D 3E 0D 0A 3C 2F 73 63 72 );..//-->..</scr 2c0 : 69 70 74 3E 0D 0A 3C 2F 62 6F 64 79 3E 0D 0A 3C ipt>..</body>..< 2d0 : 2F 48 54 4D 4C 3E /HTML> and another 000 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030 : 41 7A 5A 41 38 41 41 41 41 41 41 41 49 41 41 67 AzZA8AAAAAAAIAAg 040 : 41 41 41 41 41 41 33 72 59 74 70 79 34 42 41 41 AAAAAA3rYtpy4BAA 050 : 41 41 41 41 41 41 41 44 64 6A 59 7A 6B 7A 4F 47 AAAAAAADdjYzkzOG 060 : 55 79 4C 54 52 6A 4D 7A 51 74 4D 54 46 6C 4D 43 UyLTRjMzQtMTFlMC 070 : 31 69 59 54 49 30 4C 54 41 77 4D 7A 41 30 4F 47 1iYTI0LTAwMzA0OG 080 : 51 33 4D 7A 45 34 4E 41 41 34 6E 79 6F 41 41 41 Q3MzE4NAA4nyoAAA 090 : 41 3D 2C 2C 68 74 74 70 25 33 41 25 32 46 25 32 A=,,http%3A%2F%2 0a0 : 46 69 6E 74 65 72 61 63 74 69 76 65 73 2E 66 6F Finteractives.fo 0b0 : 78 31 31 6F 6E 6C 69 6E 65 2E 63 6F 6D 25 32 46 x11online.com%2F 0c0 : 70 68 6F 74 6F 6D 6F 6A 6F 25 32 46 67 61 6C 6C photomojo%2Fgall 0d0 : 65 72 79 25 32 46 31 32 35 25 32 46 36 25 32 46 ery%2F125%2F6%2F 0e0 : 6A 61 70 61 6E 2D 71 75 61 6B 65 2D 73 70 61 77 japan-quake-spaw 0f0 : 6E 73 2D 74 73 75 6E 61 6D 69 25 32 46 63 61 72 ns-tsunami%2Fcar 100 : 73 2D 77 61 73 68 65 64 2D 61 77 61 79 25 32 46 s-washed-away%2F 110 : 2C 68 74 74 70 3A 2F 2F 77 77 77 2E 73 6D 61 72 ,http://www.smar 120 : 74 65 72 6C 69 66 65 73 74 79 6C 65 73 2E 63 6F terlifestyles.co 130 : 6D 2F 32 30 31 31 2F 30 31 2F 32 35 2F 6F 6E 65 m/2011/01/25/one 140 : 2D 73 6B 69 6E 63 61 72 65 2D 62 72 61 6E 64 2D -skincare-brand- 150 : 64 65 6C 69 76 65 72 73 2D 77 6F 6D 65 6E 2D 6D delivers-women-m 160 : 6F 72 65 2D 79 6F 75 74 68 66 75 6C 2D 73 6B 69 ore-youthful-ski 170 : 6E 25 45 32 25 38 30 25 39 34 61 74 2D 65 76 65 n%E2%80%94at-eve 180 : 72 79 2D 61 67 65 2F 3F 66 63 5F 69 64 3D 32 33 ry-age/?fc_id=23 190 : 31 35 36 26 66 63 5F 61 70 70 5F 69 64 3D 33 39 156&fc_app_id=39 1a0 : 39 33 22 20 74 61 72 67 65 74 3D 22 5F 62 6C 61 93" target="_bla 1b0 : 6E 6B 22 3E 0A 20 20 20 20 20 20 20 20 20 20 20 nk">. 1c0 : 20 20 20 20 20 41 20 73 68 6F 63 6B 69 6E 67 20 A shocking 1d0 : 73 6B 69 6E 20 74 72 69 63 6B 20 68 61 73 20 77 skin trick has w 1e0 : 6F 6D 65 6E 20 65 76 65 72 79 77 68 65 72 65 20 omen everywhere 1f0 : 74 61 6C 6B 69 6E 67 2E 20 5B 53 74 61 67 65 73 talking. [Stages 200 : 20 6F 66 20 42 65 61 75 74 79 5D 3C 2F 61 3E 0A of Beauty]</a>. 210 : 20 20 20 20 20 20 20 20 3C 2F 64 69 76 3E 0A 20 </div>. 220 : 20 20 20 20 20 3C 2F 74 64 3E 0A 20 20 20 20 3C </td>. < 230 : 2F 74 72 3E 0A 20 20 20 20 3C 2F 74 62 6F 64 79 /tr>. </tbody 240 : 3E 0A 3C 2F 74 61 62 6C 65 3E 0A 0A 3C 2F 74 64 >.</table>..</td 250 : 3E 0A 20 20 20 20 20 20 20 20 20 20 20 20 3C 2F >. </ 260 : 74 72 3E 0A 20 20 20 20 20 20 20 20 3C 74 72 3E tr>. <tr> 270 : 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 . 280 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 290 : 20 20 20 20 20 20 20 20 20 20 20 20 20 3C 74 64 <td 2a0 : 3E 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20 >. 2b0 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3C 6C <l 2c0 : 69 6E 6B 20 72 65 6C 3D 22 73 74 79 6C 65 73 68 ink rel="stylesh 2d0 : 65 65 74 22 20 68 72 65 66 3D 22 68 74 74 70 3A eet" href="http: 2e0 : 2F 2F 73 74 61 74 69 63 2E 63 64 6E 2E 61 64 62 //static.cdn.adb 2f0 : 6C 61 64 65 2E 63 6F 6D 2F 63 73 73 2F 61 64 54 lade.com/css/adT 300 : 65 6D 70 6C 61 74 65 73 2F 61 64 54 79 70 65 31 emplates/adType1 310 : 5F 7A 6F 6E 65 38 33 2E 63 73 73 22 20 74 79 70 _zone83.css" typ 320 : 65 3D 22 74 65 78 74 2F 63 73 73 22 20 2F 3E 20 e="text/css" /> 330 : 0A 20 20 20 20 20 20 20 20 3C 73 74 79 6C 65 3E . <style> 340 : 0A 20 20 20 20 20 20 20 20 20 20 20 20 2E 61 64 . .ad 350 : 54 69 74 6C 65 31 5F 38 33 2C 20 2E 61 64 54 69 Title1_83, .adTi 360 : 74 6C 65 31 5F 38 33 3A 6C 69 6E 6B 2C 20 2E 61 tle1_83:link, .a 370 : 64 54 69 74 6C 65 31 5F 38 33 3A 76 69 73 69 74 dTitle1_83:visit 380 : 65 64 2C 20 2E 61 64 54 69 74 6C 65 31 5F 38 33 ed, .adTitle1_83 390 : 3A 68 6F 76 65 72 2C 0A 20 20 20 20 20 20 20 20 :hover,. 3a0 : 20 20 20 20 2E 61 64 4C 65 61 72 6E 4D 6F 72 65 .adLearnMore 3b0 : 4C 69 6E 6B 31 5F 38 33 2C 20 2E 61 64 4C 65 61 Link1_83, .adLea 3c0 : 72 6E 4D 6F 72 65 4C 69 6E 6B 31 5F 38 33 3A 6C rnMoreLink1_83:l 3d0 : 69 6E 6B 2C 20 2E 61 64 4C 65 61 72 6E 4D 6F 72 ink, .adLearnMor 3e0 : 65 4C 69 6E 6B 31 5F 38 33 3A 76 69 73 69 74 65 eLink1_83:visite 3f0 : 64 2C 20 2E 61 64 4C 65 61 72 6E 4D 6F 72 65 4C d, .adLearnMoreL 400 : 69 6E 6B 31 5F 38 33 3A 68 6F 76 65 72 20 7B 0A ink1_83:hover {. 410 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 420 : 63 6F 6C 6F 72 3A 23 30 30 30 30 30 30 3B 20 20 color:#000000; 430 : 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6F fo 440 : 6E 74 2D 66 61 6D 69 6C 79 3A 41 72 69 61 6C 2C nt-family:Arial, 450 : 48 65 6C 76 65 74 69 63 61 2C 73 61 6E 73 2D 73 Helvetica,sans-s 460 : 65 72 69 66 3B 20 20 20 20 20 20 20 20 20 20 20 erif; 470 : 20 7D 0A 20 20 20 20 20 20 20 20 20 20 20 20 2E }. . 480 : 61 64 44 65 73 63 72 69 70 74 69 6F 6E 31 5F 38 adDescription1_8 490 : 33 2C 20 2E 61 64 44 65 73 63 72 69 70 74 69 6F 3, .adDescriptio 4a0 : 6E 31 5F 38 33 3A 6C 69 6E 6B 2C 20 2E 61 64 44 n1_83:link, .adD 4b0 : 65 73 63 72 69 70 74 69 6F 6E 31 5F 38 33 3A 76 escription1_83:v 4c0 : 69 73 69 74 65 64 2C 20 2E 61 64 44 65 73 63 72 isited, .adDescr 4d0 : 69 70 74 69 6F 6E 31 5F 38 33 3A 68 6F 76 65 72 iption1_83:hover 4e0 : 20 7B 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 {. 4f0 : 20 20 20 63 6F 6C 6F 72 3A 23 30 30 36 36 63 63 color:#0066cc 500 : 3B 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ; 510 : 20 66 6F 6E 74 2D 66 61 6D 69 6C 79 3A 41 72 69 font-family:Ari 520 : 61 6C 2C 48 65 6C 76 65 74 69 63 61 2C 73 61 6E al,Helvetica,san 530 : 73 2D 73 65 72 69 66 3B 20 20 20 20 20 20 20 20 s-serif; 540 : 20 20 20 20 7D 0A 20 20 20 20 20 20 20 20 20 20 }. 550 : 20 20 2E 61 64 49 6D 61 67 65 31 5F 38 33 20 7B .adImage1_83 { 560 : 0A 20 20 20 . Am i wrong in assuming that this alert should generate some fp's due to its nature?Looks like web traffic. So yes, the outlook is good for false positive events. In your snort.conf you should see this: # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 If the traffic you are seeing is web traffic on another port, you might want to change that port to a list. Now you can use the $SHELLCODE_PORTS variable in the rule instead of "any". You should be able to configure PulledPork to do this for you each time you update your rules. If you do that, then Snort will not evaluate traffic on that port for the conditions in that rule. If you use event_filter or suppress in your threshold.conf, it will continue to evaluate the traffic and still give you events (although not as often depending on the event_filter and not at all with suppress of course) -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert 1394 shellcode x86 inc ecx noop Michael Lubinski (Mar 11)
- Re: alert 1394 shellcode x86 inc ecx noop Nigel Houghton (Mar 12)
- Re: alert 1394 shellcode x86 inc ecx noop Matt Olney (Mar 13)
- Re: alert 1394 shellcode x86 inc ecx noop Nigel Houghton (Mar 12)