Snort mailing list archives
Re: SHELLCODE Attacks
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Dec 2003 16:39:39 -0500
At 04:22 PM 12/5/2003, Erwin Van de Velde wrote:
> Personally, I re-write these rules on a per-case basis for my uses. I have > one copy of each rule monitor all accessible ports on all servers. (inbound > to tcp/dns, tcp/smtp, tcp/http, etc) This seems not so good to me... wouldn't it be better to check for shellcode attacks on all ports behind the firewall (except for HTTP perhaps)?
Yes, albeit you increase your false-alarm noise level. I use this strategy mostly to detect buffer overflow attacks against the DMZ servers.
but perhaps you should watch people on your network trying to access non-existing services...
I do this and a whole lot more.. I use spade, which has this functionality built in. I also use many customized rules, and egress filtering at the firewall..
Not all the bad guys are on the outside, you know....
Agreed, even if all of your "insiders" are 100% trusted, one of them could have a worm.
Just because I stated that I use the shellcode rules one way doesn't mean I trust my inside network.
I also am intentionally vague when posting to the list. After all, I never said I don't look for outbound packets containing shellcode.. I merely stated that I DO look for it per-server on selected ports inbound and that I do that I copying and customize them for my own specifics.
My intent was to get them going on the idea of tweaking these rules, and provide some starting suggestions, without detailing my exact configuration enough to assist attackers.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SHELLCODE Attacks Naman Latif (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Erwin Van de Velde (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Jeff Nathan (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- Re: SHELLCODE Attacks Erwin Van de Velde (Dec 05)
- Re: SHELLCODE Attacks Matt Kettler (Dec 05)
- <Possible follow-ups>
- RE: SHELLCODE Attacks Naman Latif (Dec 05)
- Windows 2000 Terminal Snort Issues Jim Robinson (Dec 05)