Snort mailing list archives
Re: spp_fnord Alerts Galore
From: Dragos Ruiu <dr () kyx net>
Date: Fri, 28 Feb 2003 17:55:06 +0000
The deafault sensitivity level of the fnord preprocessor can be adjusted via a compile define in the fnord processor, MAXNOP The default values of 128 is very small (thus too sensitive) for links with lots of compressed binary data such as streaming audio. Increment this value in multiples of four (I usually use 512) to increase the length of the possible sled it must find before going off. Change it and recompile. I'll release a new one shortly with this as a preprocessor option but I'm kinda swamped right now with conference stuff and the Snort book. cheers, --dr On 25 Feb 2003 08:38:29 -0700 Joe Giles <jgiles () joeman1 com> wrote:
List, I am somewhat new to snort and I use ACID for my reporting. As these systems are great and I generally have no issues, I was noticing a TON of "(spp_fnord) Possible Mutated IA32 NOP Sled detected" alerts in my list. I was not able to find any useful information on Google and I was interested in what they mean. I have a total of 242 alerts of this from 2-6-03 to present. Any assistance would be great Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- --dr pgpkey: http://dragos.com/dr-dursec.asc 0 = 1 , for large values of zero and small values of one. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_fnord Alerts Galore Joe Giles (Feb 24)
- <Possible follow-ups>
- spp_fnord Alerts Galore Joe Giles (Feb 25)
- Re: spp_fnord Alerts Galore Matt Kettler (Feb 25)
- Re: spp_fnord Alerts Galore Dragos Ruiu (Feb 28)