Snort mailing list archives

Re: No ports listed for SHELLCODE x86 NOOP

From: "Josh Berry" <josh.berry () netschematics com>
Date: Tue, 14 Sep 2004 08:08:35 -0500 (CDT)

You aren't seeing port numbers because it is fragmented traffic.  The
TCP headers are not included in packet fragments.

Hello All -

My snort sensor is running snort-2.2.0 on Solaris 9. I'm seeing a problem
with some of my "SHELLCODE x86 NOOP" events not having port numbers
listed:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624643 220.246.35.35 -> 192.233.11.147
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1356 MF
Frag Offset: 0x0000   Frag Size: 0x0538

The port number does not show up in the ACID database either.  Funny thing
is that many of these events do have port numbers:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624796 220.246.35.35:1995 -> 192.233.11.147:80
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1500
***A**** Seq: 0x4B6D415B  Ack: 0x7C5136E  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

Bug?  Or is there something I don't understand?  I may just shut this rule
off, since I don't have any x86 based machines. However, we like to run
will all rules enabled, to understand what attacks are being launched, and
then use custom scripts to post-process that data.

Thanks in advance! :)




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No ports listed for SHELLCODE x86 NOOP Miner, Jonathan W (CSC) (US SSA) (Sep 14)
- Re: No ports listed for SHELLCODE x86 NOOP Josh Berry (Sep 14)