Snort mailing list archives
Re: SHELLCODE x86 unicode NOOP
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 22 Apr 2002 13:20:25 +0000
On Mon, 22 Apr 2002 12:41:32 -0700 "Tony Wong" <tony.wong () stanford edu> wrote:
What are these in alerts? I get them when a user is transferring files from one server to another. How can I stop them?
These alerts are from a signature intended to identify the "landing pad" aka NOP sled a lot of exploits use. It falses on x86 nop like codes that are often a part of GIFS. One way to stop the falses is to use the more sophisticated spp_fnord nop sled detector available on the cansecwest.com site (it is due for inclusion in the up coming snort 1.9) and then disabling the more likely to false and less complete nop rules in the ruleset. cheers, --dr -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SHELLCODE x86 unicode NOOP Tony Wong (Apr 22)
- Re: SHELLCODE x86 unicode NOOP Erek Adams (Apr 22)
- Re: SHELLCODE x86 unicode NOOP Dragos Ruiu (Apr 22)