Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort generates alerts when I use rsync to download files

From: carlopmart <carlopmart () gmail com>
Date: Tue, 16 Sep 2008 16:19:13 +0200
Please, any hints??

carlopmart wrote:

Thanks Matt,

 I have attached pcap file generated by snort. I can see this:

 01b0  42 bf df 2f 84 10 42 08  21 84 10 42 43 43 43 43   B../..B. !..BCCCC
01c0  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43   CCCCCCCC CCCCCCCC
01d0  43 43 43 43 43 ee 1a 42  08 f9 77 f7 7b 7c a7 c7   CCCCC..B ..w.{|..

 That corresponds to shellcode.rules as a: "(msg:"SHELLCODE x86 inc ebx 
NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; 
sid:1390; rev:6;)", but this is a .rpm file ....

Matt Olney wrote:

We'd need to see the data portion of the PCAP to give you a precise 
answer.
 
In a happy world, one of the benign files you downloaded had a long 
sequence of 0x43.  This sequence can be used as a NOP sled for 
exploits that are a little 'mushy' on their targets.  It is possible 
for this sequence to occur in the wild and it be nothing, but 
generally if you get a shellcode alert, you need to look closely at 
the payload and ensure it is what it should be.
 
In an unhappy world, that long sequence of 0x43 is a NOP sled, and 
you're now a bot.
 
Matt

On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart () gmail com 
<mailto:carlopmart () gmail com>> wrote:

    Hi all,

     I am using snort on my laptop as a test lab. When I try to download
    files from
    Internet, Snort displays this alert:

    09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx
    NOOP [**]
    [Classification: Executable code was detected] [Priority: 1] {TCP}
    193.109.191.9:873 <http://193.109.191.9:873/> -> 10.38.55.4:53662
    <http://10.38.55.4:53662/>

    Why is this alert genereated?? I am downloading .rpm, .xml, and .gz
    files ...


    --
    CL Martinez
    carlopmart {at} gmail {d0t} com

    
-------------------------------------------------------------------------
    This SF.Net email is sponsored by the Moblin Your Move Developer's
    challenge
    Build the coolest Linux based applications with Moblin SDK & win
    great prizes
    Grand prize is a trip for two to an Open Source event anywhere in
    the world
    http://moblin-contest.org/redirect.php?banner_id=100&url=/
    <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users
    <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
    list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users








-- 
CL Martinez
carlopmart {at} gmail {d0t} com

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: