File: 1390.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (63 lines) | stat: -rw-r--r-- 1,393 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Rule:

--
Sid:
1390

--
Summary:
This event is generated when an attempt is made to execute shellcode on 
a host in the protected network from a source external to that network.

--
Impact:
This set of instructions can be used as a NOOP to pad buffers on an x86 
architecture machines.

--
Detailed Information:
This is the x86 opcode for 'inc ebx'.  This can be used as a NOOP in an 
x86 architecture, however as with all shellcode rules, this can cause 
false positives.  Check to see if you are ignoring shellcode rules on 
web ports, as this will reduce false positives.

--
Attack Scenarios:
An attacker can pad buffers with this opcode, in an attempt to overflow 
the buffer.

--
Ease of Attack:
This is a generic rule designed to pick up this opcode in use.

--
False Positives:
This will false positive if rule is not ignoring clear text ports every 
time snort sees 24 'C' characters (hex code of 43) in a row.

This is the x86 opcode for 'inc ebx'.  This can be used as a NOOP in an 
x86 architecture, however as with all shellcode rules, this can cause 
false positives.

--
False Negatives:
none known

--
Corrective Action:
none known

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Mike Poor <mike.poor@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CansecWest:
http://cansecwest.com/noplist-v1-1.txt

--