RE: snort: SHELLCODE x86 NOOP

From: Greg Hoglund (hoglund@cenzic.com)
Date: 04/09/02 

Date: Mon, 8 Apr 2002 15:57:48 -0700
From: "Greg Hoglund" <hoglund@cenzic.com>
To: "Bryan Burns" <bburns@onesecure.com>, <westphal@secom-consulting.de>, <focus-ids@securityfocus.com>

Just as a side, 0x90 is not the only NOP sled possible for x86, for example the ever popular AAAAAAAAAAA string evaluates to the equivalent of a NOP sled, 'inc ecx' if I remember correctly - there are a million ways to make a sled. You can even mix and match them, like 0x4190419041904190 and stuff like that. NOP sled signatures aren't very smart - its just not something that is unique enough to match on.

-Greg Hoglund
CTO, Cenzic, Inc.

-----Original Message-----
From: Bryan Burns [mailto:bburns@onesecure.com]
Sent: Monday, April 08, 2002 2:13 PM
To: westphal@secom-consulting.de; focus-ids@securityfocus.com
Subject: RE: snort: SHELLCODE x86 NOOP

The Snort shellcode signature is probably looking for a NOOP sled, which is
a sequence of 0x90 bytes. There's nothing preventing any binary data such
as a JPG image or an x86 executable containing the same pattern of bytes.
Someone was probably just downloading a harmless binary off your web server.

The "Shellcode" set of signatures are trying to look for generic attacks
that haven't been discovered yet by looking for patterns in network traffic
that appear to be dangerous or common CPU instructions used in hax0ring
attempts. These signatures are prone to a high false-positive rate though,
and often get triggered by perfectly harmless data.

-Bryan

-

Loading