Re: spp_fnord Alerts Galore

[Matt Kettler <mkettler () evi-inc com>]

Spp-fnord is a somewhat experimental preprocessor that attempts to detect 
common "filler" patterns that are used in buffer overflows.  The fill 
pattern is used to make the overflow a bit simpler to align. Typically this 
is a pile of NOP instructions, or a similar single-byte instruction that 
has no significant affect on the state of the system.

Read up the e-text titled "smashing the stack for fun and profit" by Alpeh 
One if the concept of a buffer overflow is foreign to you. It's easily 
found with a web search. ie this spot: 
http://www.shmoo.com/phrack/Phrack49/p49-14


The fnord here means it noticed something going by in a packet that looked 
like a pile of mutated NOPs, but could easily be a pattern present in 
things like uncompressed images.

AFAIK, Fnord is disabled in the default config, and you should read the 
description of a preprocessor in snort.conf prior to enabling ones that are 
turned off by default.


At 08:38 AM 2/25/2003 -0700, Joe Giles wrote:
> List,
>
> I am somewhat new to snort and I use ACID for my reporting. As these
> systems are great and I generally have no issues, I was noticing a TON
> of "(spp_fnord) Possible Mutated IA32 NOP Sled detected" alerts in my
> list. I was not able to find any useful information on Google and I was
> interested in what they mean.
>
> I have a total of 242 alerts of this from 2-6-03 to present.
>
> Any assistance would be great
>
> Thanks



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users