RE: shell code detect

[Steve Halligan <giermo () geeksquad com>]

*hits playback on taperecorder*
Shellcode rules often false alert when encountering binary files in transit.
These rules are written to look for a bunch of NOPS (No Operations) in a
row, and alot of binaries fit this description.

In this particular case, I am going to go out on a limb and say that a
binary attachment to an email triggered this alert.

The rule is written about as good as it can be.

Dragos' spp_fnord preprocessor may false less often.

-steve


> i am getting this alert on some of my smtp gateways. i know is a buffer
> overflow attack because of the shellcode signature. i have had 
> my mail admin
> check the servers out for signs of buffer overflow attacks, he 
> reported back
> no problem. this might be a false positive (i am still 
> investigating). my
> question to the list is that, if this is a false positive, how 
> do u tweak it
> without having to disable the rule altogether. one idea that i 
> have been
> toying with is to set flags on most content rules so that the 
> connection
> would have to be actually established by snort starts squeaking. if the
> traffic is getting blocked by the firewall, i dont want snort 
> alerting me on
> such traffic. what do you guys think?, attached is the  
> decoded payload of
> the shell code attack.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users