Snort mailing list archives
Re: Shellcode x86 setgid 0
From: Togan Muftuoglu <toganm () users sourceforge net>
Date: Sun, 13 May 2001 18:23:23 +0300
* H D Moore <hdm () secureaustin com> [010513 18:10]:
Source port 20 to the high port 61470 indicates that a FTP transfer was occuring from 212.156.199.157 to 216.162.197.11. The shellcode signature was triggered by some binary data in the file that happened to match the x86 assembly for setgid0. Gif images and Zip files tend to set mine off all the time...
I was downloading an iso.gz file yet this is the first time I am having this message (actually that was the first time I was using that downloader so maybe there could be something with the downloader) So my guess as a false positive is true -- Togan Muftuoglu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
- Re: Shellcode x86 setgid 0 H D Moore (May 13)
- Re: Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
- Re: Shellcode x86 setgid 0 Lance Spitzner (May 13)
- Re: Shellcode x86 setgid 0 H D Moore (May 13)