Snort mailing list archives
RE: shell code detect
From: Steve Halligan <giermo () geeksquad com>
Date: Thu, 11 Apr 2002 13:52:54 -0500
*hits playback on taperecorder* Shellcode rules often false alert when encountering binary files in transit. These rules are written to look for a bunch of NOPS (No Operations) in a row, and alot of binaries fit this description. In this particular case, I am going to go out on a limb and say that a binary attachment to an email triggered this alert. The rule is written about as good as it can be. Dragos' spp_fnord preprocessor may false less often. -steve
i am getting this alert on some of my smtp gateways. i know is a buffer overflow attack because of the shellcode signature. i have had my mail admin check the servers out for signs of buffer overflow attacks, he reported back no problem. this might be a false positive (i am still investigating). my question to the list is that, if this is a false positive, how do u tweak it without having to disable the rule altogether. one idea that i have been toying with is to set flags on most content rules so that the connection would have to be actually established by snort starts squeaking. if the traffic is getting blocked by the firewall, i dont want snort alerting me on such traffic. what do you guys think?, attached is the decoded payload of the shell code attack.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- shell code detect Omolayo Salako (Apr 11)
- <Possible follow-ups>
- RE: shell code detect Steve Halligan (Apr 11)