Snort mailing list archives

Re: shellcode error

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 31 May 2002 08:24:29 -0700 (PDT)

On Fri, 31 May 2002, Hugo Ferr wrote:

Just out of curiosity - why !80, I was getting quite a lot of false
positives for shellcode on port 80, is that the number of false positives is
the reason for !80?


Yes.  Something as simple as a .GIF, .JPG, .EXE, etc. could set off those
rules.  It would be nice to put FTP in there, but since the data channel is on
a random high port, it can't be.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

shellcode error Hugo Ferr (May 30)
- RE: shellcode error bthaler (May 30)
  - Re: shellcode error Hugo Ferr (May 30)
    - Re: shellcode error Erek Adams (May 30)
    - Re: shellcode error Hugo Ferr (May 31)
    - Re: shellcode error Erek Adams (May 31)
    - Re: shellcode error Hugo Ferr (May 31)
- Re: shellcode error matt (May 30)
  - Re: shellcode error john (May 31)
    - Re: shellcode error Erek Adams (May 31)
    - Re: shellcode error Matt Kettler (May 31)