Snort mailing list archives
Re: No ports listed for SHELLCODE x86 NOOP
From: "Josh Berry" <josh.berry () netschematics com>
Date: Tue, 14 Sep 2004 08:08:35 -0500 (CDT)
You aren't seeing port numbers because it is fragmented traffic. The TCP headers are not included in packet fragments.
Hello All - My snort sensor is running snort-2.2.0 on Solaris 9. I'm seeing a problem with some of my "SHELLCODE x86 NOOP" events not having port numbers listed: [**] [1:648:7] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 09/14-06:38:39.624643 220.246.35.35 -> 192.233.11.147 TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1356 MF Frag Offset: 0x0000 Frag Size: 0x0538 The port number does not show up in the ACID database either. Funny thing is that many of these events do have port numbers: [**] [1:648:7] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 09/14-06:38:39.624796 220.246.35.35:1995 -> 192.233.11.147:80 TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1500 ***A**** Seq: 0x4B6D415B Ack: 0x7C5136E Win: 0xFAF0 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] Bug? Or is there something I don't understand? I may just shut this rule off, since I don't have any x86 based machines. However, we like to run will all rules enabled, to understand what attacks are being launched, and then use custom scripts to post-process that data. Thanks in advance! :) ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No ports listed for SHELLCODE x86 NOOP Miner, Jonathan W (CSC) (US SSA) (Sep 14)
- Re: No ports listed for SHELLCODE x86 NOOP Josh Berry (Sep 14)