Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shellcode x86 setgid 0

From: H D Moore <hdm () secureaustin com>
Date: Sun, 13 May 2001 10:05:47 -0500
Source port 20 to the high port 61470 indicates that a FTP transfer was 
occuring from 212.156.199.157 to 216.162.197.11.  The shellcode signature was 
triggered by some binary data in the file that happened to match the x86 
assembly for setgid0.  Gif images and Zip files tend to set mine off all the 
time...

On Sunday 13 May 2001 09:41 am, Togan Muftuoglu wrote:

Hi,

Although it could be bad traffic (and hopefully false positive) I just
wanted to be sure I am using snort 1.8 beta 3 and snort is running on
the firewall which is masquareding for the local network.

May 13 13:41:28 gardiyan snort: SHELLCODE x86 setgid 0

 [Classification: \210à^P^H\200¢^T^H¸²^T^H   Priority: 10]:
216.162.197.11:20 -> 212.156.199.157:61470


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: