Snort mailing list archives
Re: "SHELLCODE x86 NOOP" from presumably non dangerous addresses
From: Guillaume <guillaume () anteria fr>
Date: Fri, 30 Nov 2001 12:34:30 +0100 (CET)
En réponse à Roberto Suarez Soto <robe () alfa21 com>:
Hi, I'm receiving several "SHELLCODE x86 NOOP" alerts from addresses like "law2-www.hotmail.com" and another one in akamai (presumably, one of those used in ad banners: a62-41-13-32.deploy.akamaitechnologies.com). Is there a non-paranoid explanation of what could be happening? I think that maybe the transmission of some gif/jpg or some attach could trigger the alert, but I'm not very sure.
I do confirm: I already noticed that this alert appeared during FTP file transfers. The non-paranoid explanation being that the pattern (90 90 90 90 90 90 90 90 90 90 90 90 90 90) could be found in regular binary files. You should always take a look at the packet load when such an alert based on just that kind of content is triggered: I was about sending a furious e-mail to some sysadmin after having seen tons of this alert when I saw that it was just one of our clients transfering binary files to his website.... Guillaume *********************************** Sent with HORDE/IMP (www.horde.org) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "SHELLCODE x86 NOOP" from presumably non dangerous addresses Roberto Suarez Soto (Nov 30)
- Re: "SHELLCODE x86 NOOP" from presumably non dangerous addresses Guillaume (Nov 30)
- RE: "SHELLCODE x86 NOOP" from presumably non dangerous addresses Jyri Hovila (Nov 30)