Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1394 |
Message | SHELLCODE x86 NOOP |
Summary | This event is generated when an attempt is made to possibly overflow a buffer. The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code. |
Impact | This might indicate someone is trying to use a buffer overflow exploit. Full compromise of system is possible if the exploit is successful. |
Detailed Information | This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. |
Affected Systems | Any x86 programs. |
Attack Scenarios | An attacker uses a buffer overflow exploit which contains the following payload: 90 90 90 90 90 90 90 90 90 90 /bin/sh |
Ease of Attack | Simple. |
Corrective Action | Apply a non-executable user stack patch to your kernel Secure programming/execution of a program Check the destination host and service to verify if any buffer overflow vulnerability exists. |
Additional References |
--
DID:407427
--
http://www.aanval.com/