1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
Rule:
--
Sid:
1424
--
Summary:
This event is generated when suspicious shell code is detected in
network traffic.
--
Impact:
Denial of Service (DoS) possible execution of arbitrary code.
--
Detailed Information:
This event is generated when suspicious shell code is detected. Many
buffer overflow attacks contain large numbers of NOOP instrucions to pad
out the request. Other attacks contain specific shell code sequences
directed at certain applications or services.
The shellcode in question may also use Unicode encoding.
--
Affected Systems:
Any software running on x86 architecture.
--
Attack Scenarios:
An attacker may exploit a DCERPC service by sending shellcode in the RPC
data stream. Sending large amounts of data to the Microsoft Workstation
service can cause a buffer overflow condition in the logging function
thus presenting an attacker with the opportunity to issue a DoS attack
or in some cases, to execute code of their choosing.
--
Ease of Attack:
Simple. Many exploits exist.
--
False Positives:
False positives may be generated by binary file transfers.
--
False Negatives:
None known
--
Corrective Action:
Make sure the target host has all current patches applied and has the
latest software versions installed.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
