643.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule: 

--
Sid: 643

--
Summary: 
This event is generated when a buffer overflow attack is attempted against a target machine.

--
Impact: 
Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user.


-- 
Detailed Information: 
This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute  attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system.

--
Attack Scenarios: 
An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target.

--
Ease of Attack: 
Simple


--
False Positives: 
This event may be generated by legitimate traffic to the specified port.


-- 
False Negatives: 
This event is specific to the shell code defined in the rule.
Other shell code sequences may not be detected.

--
Corrective Action: 
Check the target host for other signs of compromise.

Look for other events concerning the target host.

Apply vendor supplied patches and keep the operating system up to date.

--
Contributors: 
Original Rule Writer Unkown
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

Arachnids:
http://www.whitehats.com/info/IDS359

--