Snort mailing list archives
How to avoid false alarms with Gnutella: Getting a lot of SHELLCODE x86 NOOP and STEALTH ACTIVITY for dest port 6346
From: Jose Vicente Nunez Zuleta <josevnz () newbreak com>
Date: Wed, 9 Oct 2002 17:02:46 -0400
Greetings, My net users run P2p programs based on the Gnutella protocol; Depending of what they donwload i got false alarms from Snort: Oct 9 15:29:17 lnxwatch0001 snort: [1:1394:3] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1]: {TCP} 216.219.23.204:6346 -> 167.206.150.42:3979 Oct 9 16:40:54 lnxwatch0001 snort: [1:1394:3] SHELLCODE x86 NOOP [Classification: Executable code was detected] [Priority: 1]: {TCP} 146.151.74.50:6347 -> 167.206.150.42:1394 Oct 9 16:54:52 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:54:52 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:55:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3794 -> XXXX:6346 Oct 9 16:55:56 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:55:56 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:56:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3794 -> XXXX:6346 Oct 9 16:57:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXX:6346 Oct 9 16:57:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:57:08 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3794 -> XXXX:6346 Oct 9 16:58:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:58:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3789 -> XXXX:6346 Oct 9 16:58:12 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 148.63.132.208:3794 -> XXXX:6346 There is a way i can tell Snort to ignore the the spp_stream4 and the shell code validations for the destination port 6346? Thanks in advance. JV. -- José Vicente Núñez Zuleta (josevnz at newbreak dot com) Newbreak LLC System Administrator (http://www.newbreak.com) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to avoid false alarms with Gnutella: Getting a lot of SHELLCODE x86 NOOP and STEALTH ACTIVITY for dest port 6346 Jose Vicente Nunez Zuleta (Oct 09)