Re: "SHELLCODE x86 NOOP" from presumably non dangerous addresses

[Guillaume <guillaume () anteria fr>]

En réponse à Roberto Suarez Soto <robe () alfa21 com>:

> Hi, 
>
>       I'm receiving several "SHELLCODE x86 NOOP" alerts from addresses like
> "law2-www.hotmail.com" and another one in akamai (presumably, one of
> those used in ad banners: a62-41-13-32.deploy.akamaitechnologies.com). Is
> there a non-paranoid explanation of what could be happening?
>
>       I think that maybe the transmission of some gif/jpg or some attach
> could trigger the alert, but I'm not very sure.

I do confirm: I already noticed that this alert appeared during FTP file 
transfers. The non-paranoid explanation being that the pattern (90 90 90 90 90 
90 90 90 90 90 90 90 90 90) could be found in regular binary files.

You should always take a look at the packet load when such an alert based on 
just that kind of content is triggered: I was about sending a furious e-mail to 
some sysadmin after having seen tons of this alert when I saw that it was just 
one of our clients transfering binary files to his website....


Guillaume

***********************************
Sent with HORDE/IMP (www.horde.org)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users