Snort mailing list archives
Re: Shellcode x86 setgid 0
From: H D Moore <hdm () secureaustin com>
Date: Sun, 13 May 2001 10:05:47 -0500
Source port 20 to the high port 61470 indicates that a FTP transfer was occuring from 212.156.199.157 to 216.162.197.11. The shellcode signature was triggered by some binary data in the file that happened to match the x86 assembly for setgid0. Gif images and Zip files tend to set mine off all the time... On Sunday 13 May 2001 09:41 am, Togan Muftuoglu wrote:
Hi, Although it could be bad traffic (and hopefully false positive) I just wanted to be sure I am using snort 1.8 beta 3 and snort is running on the firewall which is masquareding for the local network. May 13 13:41:28 gardiyan snort: SHELLCODE x86 setgid 0 [Classification: \210à^P^H\200¢^T^H¸²^T^H Priority: 10]: 216.162.197.11:20 -> 212.156.199.157:61470
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
- Re: Shellcode x86 setgid 0 H D Moore (May 13)
- Re: Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
- Re: Shellcode x86 setgid 0 Lance Spitzner (May 13)
- Re: Shellcode x86 setgid 0 H D Moore (May 13)