1394.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:

1394

--
Summary:
This event is generated when an attempt is made to possibly overflow a buffer.

The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code.

--
Impact:

This might indicate someone is trying to use a buffer overflow exploit. 

Full compromise of  system is possible if the exploit is successful.

--
Detailed Information:
This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. 

--
Affected Systems:

	Any x86 programs.

--
Attack Scenarios:
An attacker uses a buffer overflow exploit which contains the following payload:

	90 90 90 90 90 90 90 90 90 90 /bin/sh

--
Ease of Attack:
Simple.

--
False Positives:
High, This event may be generated by applications such as ftp and http 
when binary data is being transfered. 

A false Positive can be generated if the snort sensor detects text from an IRC
client or any other application that passes data plaintext. The event is
generated if snort detects several (a) characters in a row - such as
'aaaaaaaaaa'.

--
False Negatives:

None known

--
Corrective Action:
Apply a non-executable user stack patch to your kernel

Secure programming/execution of a program

Check the destination host and service to verify if any buffer overflow vulnerability exists.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)

--
Additional References:

--