[Emerging-Sigs] SIGS: 2 Shellcode x86 sigs with Byte_Jump, needs further testing, good results so far

Will Metcalf william.metcalf at gmail.com
Wed Oct 13 11:21:58 EDT 2010


Consider yourself fp'd... There is a reason why we put established on
these ;-)...

scapy
send([IP(src=RandIP("0.0.0.0/0"),dst="192.168.2.3")/TCP(sport=RandNum(1024,65535),dport=80,flags="A")/'\xEB\x00\xE8\x00\xFF\xFF\xFF']*10000)
...Sent 10000 packets.

/opt/snort2861/bin/snort -c /opt/snort2861/etc/snort-vrt.conf -l ./ -k
none -r deathby10000spoofedpackets.pcap -A fast -q
cat alert |wc -l
10000

Regards,

Will

On Wed, Oct 13, 2010 at 3:05 AM, Kevin Ross <kevross33 at googlemail.com> wrote:
> On the TCP one I think established should be removed (that is the rule I am
> running anyway) just in case.I haven't had a single FP with them yet :)
>
> On 12 October 2010 23:31, Matthew Jonkman <jonkman at emergingthreatspro.com>
> wrote:
>>
>> Worth a shot, posting for testing.
>> Matt
>> On Oct 12, 2010, at 7:09 AM, Kevin Ross wrote:
>>
>> One more modification, even though I have not encountered it apparently an
>> FP may be generated on some PE files though it isn't common (in the article
>> there was no FPs on 50 Gig of data though it did fire for legitimate use on
>> some PE files of this method. I am sure it would be rare but I think a
>> negation would help limit the risk. Thoughts and anyone want to give these a
>> try to test them further?
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible
>> TCP x86 Shellcode Detected"; flow:established,to_server; content:"|EB|";
>> byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|";
>> distance:1; within:3; content:!"This program cannot be run in DOS mode";
>> classtype:shellcode-detect;
>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>> sid:1868001; rev:1;)
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible
>> UDP x86 Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative;
>> content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3;
>> classtype:shellcode-detect;
>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>> sid:1868002; rev:1;)
>>
>> Regards, Kevin
>>
>> On 12 October 2010 11:27, Kevin Ross <kevross33 at googlemail.com> wrote:
>>>
>>> I have been running these sigs for a week now on my home and work
>>> networks with good results (0 FPs and detection of shellcodes I was sending
>>> past it, not all shellcodes but a good amount are detected as they use this
>>> method). These came about because of this article
>>> www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/
>>> where the value specified after |EB| was the jump which led in their case to
>>> |E8 F8 FF FF FF| and |E8 E8 FF FF FF|. Now after much playing I came up with
>>> these 2 sigs and they seem to work very well.
>>>
>>> This can detect a fair amount of shellcodes (linux, windows, bsd,
>>> polymorphic apparantly though never tested this and so on). I think
>>> following some volunteers and testing these sigs may be good (obviously
>>> written for detection, not performance though I have done my best). With the
>>> byte_jump to the |E8| FF part meaning it is very specific it should help
>>> limit FPs (though I expect a few). However; I do not think this will FP as
>>> bad as some of the other shellcode sigs on offer and it may offer excellent
>>> detection.
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible
>>> TCP x86 Shellcode Detected"; flow:established,to_server; content:"|EB|";
>>> byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|";
>>> distance:1; within:3; classtype:shellcode-detect;
>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>> sid:1868001; rev:1;)
>>>
>>> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible
>>> UDP x86 Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative;
>>> content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3;
>>> classtype:shellcode-detect;
>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>> sid:1868002; rev:1;)
>>>
>>> Thoughts, improvements and offers for testing?
>>> Regards, Kev
>>
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list