Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to avoid false alarms with Gnutella: Getting a lot of SHELLCODE x86 NOOP and STEALTH ACTIVITY for dest port 6346

From: Jose Vicente Nunez Zuleta <josevnz () newbreak com>
Date: Wed, 9 Oct 2002 17:02:46 -0400
Greetings,

My net users run P2p programs based on the Gnutella protocol; Depending of what they donwload i got false alarms from 
Snort:

Oct  9 15:29:17 lnxwatch0001 snort: [1:1394:3] SHELLCODE x86 NOOP [Classification: Executable code was detected] 
[Priority: 1]: {TCP} 216.219.23.204:6346 -> 167.206.150.42:3979
Oct  9 16:40:54 lnxwatch0001 snort: [1:1394:3] SHELLCODE x86 NOOP [Classification: Executable code was detected] 
[Priority: 1]: {TCP} 146.151.74.50:6347 -> 167.206.150.42:1394
Oct  9 16:54:52 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:54:52 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:55:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3794 -> XXXX:6346
Oct  9 16:55:56 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:55:56 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:56:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3794 -> XXXX:6346
Oct  9 16:57:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXX:6346
Oct  9 16:57:00 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:57:08 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3794 -> XXXX:6346
Oct  9 16:58:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:58:04 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3789 -> XXXX:6346
Oct  9 16:58:12 lnxwatch0001 snort: [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection {TCP} 
148.63.132.208:3794 -> XXXX:6346


There is a way i can tell Snort to ignore the the spp_stream4 and the shell code validations for the destination port 
6346?

Thanks in advance.

JV.

-- 
José Vicente Núñez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator (http://www.newbreak.com)


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: