1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
Rule:
--
Sid:
1390
--
Summary:
This event is generated when an attempt is made to execute shellcode on
a host in the protected network from a source external to that network.
--
Impact:
This set of instructions can be used as a NOOP to pad buffers on an x86
architecture machines.
--
Detailed Information:
This is the x86 opcode for 'inc ebx'. This can be used as a NOOP in an
x86 architecture, however as with all shellcode rules, this can cause
false positives. Check to see if you are ignoring shellcode rules on
web ports, as this will reduce false positives.
--
Attack Scenarios:
An attacker can pad buffers with this opcode, in an attempt to overflow
the buffer.
--
Ease of Attack:
This is a generic rule designed to pick up this opcode in use.
--
False Positives:
This will false positive if rule is not ignoring clear text ports every
time snort sees 24 'C' characters (hex code of 43) in a row.
This is the x86 opcode for 'inc ebx'. This can be used as a NOOP in an
x86 architecture, however as with all shellcode rules, this can cause
false positives.
--
False Negatives:
none known
--
Corrective Action:
none known
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Mike Poor <mike.poor@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
CansecWest:
http://cansecwest.com/noplist-v1-1.txt
--
|
