Snort mailing list archives

Re: spp_fnord Alerts Galore

From: Dragos Ruiu <dr () kyx net>
Date: Fri, 28 Feb 2003 17:55:06 +0000


The deafault sensitivity level of the fnord preprocessor can be adjusted
via a compile define in the fnord processor, MAXNOP

The default values of 128 is very small (thus too sensitive) for
links with lots of compressed binary data such as streaming audio.
Increment this value in multiples of four (I usually use 512)
to increase the length of the possible sled it must find before
going off.

Change it and recompile.
I'll release a new one shortly with this as a preprocessor option
but I'm kinda swamped right now with conference stuff and the
Snort book.

cheers,
--dr

On 25 Feb 2003 08:38:29 -0700
Joe Giles <jgiles () joeman1 com> wrote:

List,

I am somewhat new to snort and I use ACID for my reporting. As these
systems are great and I generally have no issues, I was noticing a TON
of "(spp_fnord) Possible Mutated IA32 NOP Sled detected" alerts in my
list. I was not able to find any useful information on Google and I was
interested in what they mean. 

I have a total of 242 alerts of this from 2-6-03 to present.

Any assistance would be great

Thanks

Joe





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
        0 = 1 , for large values of zero and small values of one.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_fnord Alerts Galore Joe Giles (Feb 24)
- <Possible follow-ups>
- spp_fnord Alerts Galore Joe Giles (Feb 25)
  - Re: spp_fnord Alerts Galore Matt Kettler (Feb 25)
  - Re: spp_fnord Alerts Galore Dragos Ruiu (Feb 28)