[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2341 [Tor Relay]: Shellcode
#2341: Shellcode
---------------------------+------------------------------------------------
Reporter: cypherpunks | Type: defect
Status: closed | Priority: normal
Milestone: | Component: Tor Relay
Version: Tor: 0.2.1.26 | Resolution: not a bug
Keywords: | Parent:
---------------------------+------------------------------------------------
Changes (by nickm):
* status: new => closed
* type: task => defect
* resolution: => not a bug
Comment:
Well, this is more of a snort question than a Tor question. The sequences
that snort is checking for here are sequences that would be interpreted as
"Setuid 0" if they were run in a binary. Some of them are very short , so
you shouldn't be surprised to see them occur randomly in binary data. A
quick search for "shellcode x86 setuid 0" should turn up some more
information here.
(And whoever said that "shellcode x86 setuid 0" has no known false
positives, no known false negatives, or no known false alarms is IMO quite
mistaken. If I'm reading the documentation right, it's just a 4-byte
sequence that you'd expect to occur by chance in encrypted data once every
GB or so -- so that would be create both positives and false alarms. It's
pretty trivial to write obfuscated exploits, so false negatives are also
expected.)
Here are some links I found useful:
http://seclists.org/ids/2000/Jun/36 (explains both why you should
expect false positives and false negatives)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2341#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs