Snort mailing list archives
Fwd: Snort catching backup as alert?
From: William Rehnquyst <rehnquyst () gmail com>
Date: Mon, 19 Aug 2013 11:32:12 -0400
Hi, The other day my Snort alerted that it had detected shellcode, and the payload information looks just like a snort rule. It seems to be going from my snort server to the backup server. Does that just mean while backup is happening, Snort is detecting shellcode it's looking for in the rule file itself? I would think if that's the case then every single rule in the rule file would be triggered, because everything it's looking for is in there and it's being transmitted. Were these shellcode detections just a fluke then? Below is the payload it captured, which triggered the alert: "INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17340; rev:3;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"redacted"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; distance:1; content:"redacted"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17341; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17342; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17343; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor Many thanks, Rehn ps. On a side note, pardon my newbie-ness, how does screenshots and attachment work on a mailing list like this? I'm not sure whether they work or not because I never see them in the archive on seclists.org?
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
- Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)