Snort mailing list archives

Re: Shellcode x86 setgid 0

From: Lance Spitzner <lance () honeynet org>
Date: Sun, 13 May 2001 12:49:43 -0500 (CDT)

On Sun, 13 May 2001, H D Moore wrote:

Source port 20 to the high port 61470 indicates that a FTP transfer was
occuring from 212.156.199.157 to 216.162.197.11.  The shellcode signature was
triggered by some binary data in the file that happened to match the x86
assembly for setgid0.  Gif images and Zip files tend to set mine off all the
time...


So does Bugtraq email and Word .doc's that have content describing exploit
attacks :)

lance


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
- Re: Shellcode x86 setgid 0 H D Moore (May 13)
  - Re: Shellcode x86 setgid 0 Togan Muftuoglu (May 13)
  - Re: Shellcode x86 setgid 0 Lance Spitzner (May 13)