Snort mailing list archives
shell code detect
From: Omolayo Salako <OSalako () corp goamerica net>
Date: Thu, 11 Apr 2002 13:34:30 -0400
i am getting this alert on some of my smtp gateways. i know is a buffer overflow attack because of the shellcode signature. i have had my mail admin check the servers out for signs of buffer overflow attacks, he reported back no problem. this might be a false positive (i am still investigating). my question to the list is that, if this is a false positive, how do u tweak it without having to disable the rule altogether. one idea that i have been toying with is to set flags on most content rules so that the connection would have to be actually established by snort starts squeaking. if the traffic is getting blocked by the firewall, i dont want snort alerting me on such traffic. what do you guys think?, attached is the decoded payload of the shell code attack.
Attachment:
shellcode.txt
Description:
Attachment:
shellcodex86.txt
Description:
Current thread:
- shell code detect Omolayo Salako (Apr 11)
- <Possible follow-ups>
- RE: shell code detect Steve Halligan (Apr 11)