Rule: -- Sid: 641 -- Summary: This event is generated when a buffer overflow attack is attempted against a target machine. -- Impact: Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. -- Detailed Information: This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. -- Attack Scenarios: An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. -- Ease of Attack: Simple -- False Positives: This event may be generated by legitimate traffic to the specified port. -- False Negatives: This event is specific to the shell code defined in the rule. Other shell code sequences may not be detected. -- Corrective Action: Check the target host for other signs of compromise. Look for other events concerning the target host. Apply vendor supplied patches and keep the operating system up to date. -- Contributors: Original Rule Writer Unkown Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Arachnids: http://www.whitehats.com/info/IDS352 --
