Rule:

--
Sid:

1394

--
Summary:
This event is generated when an attempt is made to possibly overflow a buffer.

The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code.

--
Impact:

This might indicate someone is trying to use a buffer overflow exploit. 

Full compromise of  system is possible if the exploit is successful.

--
Detailed Information:
This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. 

--
Affected Systems:

	Any x86 programs.

--
Attack Scenarios:
An attacker uses a buffer overflow exploit which contains the following payload:

	90 90 90 90 90 90 90 90 90 90 /bin/sh

--
Ease of Attack:
Simple.

--
False Positives:

High, This event may be generated by applications such as ftp and http 
when binary data is being transfered. 


--
False Negatives:

None known

--
Corrective Action:
Apply a non-executable user stack patch to your kernel

Secure programming/execution of a program

Check the destination host and service to verify if any buffer overflow vulnerability exists.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)

--
Additional References:
