Snort mailing list archives

SHELLCODE x86 NOOP and Novell

From: Yonah Russ <yonah () jct ac il>
Date: 21 Feb 2002 17:13:05 +0200

Has anyone ever noticed that this signature seems to be triggered by NCP
in Netware 5- I just set up a Snort box and I'm getting alerts from
Netware servers originating at port 524, netware's NCP request port.

here is the rule:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;)

is there anyway to make it better and eliminate this false positive
other than telling it to ignore those servers and/or ports?
thanks
Yonah


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SHELLCODE x86 NOOP and Novell Yonah Russ (Feb 21)