[Emerging-Sigs] SIGS: 2 Shellcode x86 sigs with Byte_Jump, needs further testing, good results so far

Kevin Ross kevross33 at googlemail.com
Tue Oct 12 06:27:07 EDT 2010


I have been running these sigs for a week now on my home and work networks
with good results (0 FPs and detection of shellcodes I was sending past it,
not all shellcodes but a good amount are detected as they use this method).
These came about because of this article
www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/where
the value specified after |EB| was the jump which led in their case to
|E8 F8 FF FF FF| and |E8 E8 FF FF FF|. Now after much playing I came up with
these 2 sigs and they seem to work very well.

This can detect a fair amount of shellcodes (linux, windows, bsd,
polymorphic apparantly though never tested this and so on). I think
following some volunteers and testing these sigs may be good (obviously
written for detection, not performance though I have done my best). With the
byte_jump to the |E8| FF part meaning it is very specific it should help
limit FPs (though I expect a few). However; I do not think this will FP as
bad as some of the other shellcode sigs on offer and it may offer excellent
detection.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP
x86 Shellcode Detected"; flow:established,to_server; content:"|EB|";
byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|";
distance:1; within:3; classtype:shellcode-detect; reference:url,
www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
sid:1868001; rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP
x86 Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative;
content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3;
classtype:shellcode-detect; reference:url,
www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
sid:1868002; rev:1;)

Thoughts, improvements and offers for testing?
Regards, Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101012/00d19945/attachment.html


More information about the Emerging-sigs mailing list