Rule: -- Sid: 652 -- Summary: This event is generated when suspicious shell code is detected in network traffic. -- Impact: Denial of Service (DoS) possible execution of arbitrary code. -- Detailed Information: This event is generated when suspicious shell code is detected. Many buffer overflow attacks contain large numbers of NOOP instrucions to pad out the request. Other attacks contain specific shell code sequences directed at certain applications or services. The shellcode in question may also use Unicode encoding. -- Affected Systems: Any software running on x86 architecture. -- Attack Scenarios: An attacker may exploit a DCERPC service by sending shellcode in the RPC data stream. Sending large amounts of data to the Microsoft Workstation service can cause a buffer overflow condition in the logging function thus presenting an attacker with the opportunity to issue a DoS attack or in some cases, to execute code of their choosing. -- Ease of Attack: Simple. Many exploits exist. -- False Positives: False positives may be generated by binary file transfers. -- False Negatives: None known -- Corrective Action: Make sure the target host has all current patches applied and has the latest software versions installed. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --