Snort mailing list archives
Re: Snort generates alerts when I use rsync to download files
From: "Matt Olney" <molney () sourcefire com>
Date: Mon, 15 Sep 2008 09:49:30 -0400
We'd need to see the data portion of the PCAP to give you a precise answer. In a happy world, one of the benign files you downloaded had a long sequence of 0x43. This sequence can be used as a NOP sled for exploits that are a little 'mushy' on their targets. It is possible for this sequence to occur in the wild and it be nothing, but generally if you get a shellcode alert, you need to look closely at the payload and ensure it is what it should be. In an unhappy world, that long sequence of 0x43 is a NOP sled, and you're now a bot. Matt On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart () gmail com> wrote:
Hi all, I am using snort on my laptop as a test lab. When I try to download files from Internet, Snort displays this alert: 09/15-14:44:36.373001 [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 193.109.191.9:873 -> 10.38.55.4:53662 Why is this alert genereated?? I am downloading .rpm, .xml, and .gz files ... -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 16)
- Re: Snort generates alerts when I use rsync to download files Alberto Colosi/SI/RM/GSI/it (Sep 16)
- sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 16)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 16)
- Re: sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 17)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 17)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)