Rule: -- Sid: 642 -- Summary: This event is generated when a buffer overflow attack is attempted against a target machine. -- Impact: Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. -- Detailed Information: This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. -- Attack Scenarios: An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. -- Ease of Attack: Simple -- False Positives: This event may be generated by legitimate traffic to the specified port. -- False Negatives: This event is specific to the shell code defined in the rule. Other shell code sequences may not be detected. -- Corrective Action: Check the target host for other signs of compromise. Look for other events concerning the target host. Apply vendor supplied patches and keep the operating system up to date. -- Contributors: Original Rule Writer Unkown Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Arachnids: http://www.whitehats.com/info/IDS358 --