Re: SHELLCODE x86 NOOP

[Jeff Nathan <jeff () snort org>]

The snort rule in question looks for a series of 12 x86 NOOP
instructions (0x90) in a row. 

It is possible that the alerts generated from port 80 are the result of
a gif file containing a series of 0x90 bytes within its color table. 
This could trigger a false alarm.  I'm not familiar with jpg files but
they too may have a color table.

There are a number of other possibilities, this is just one explanation.

-Jeff

Basil Saragoza wrote:
> I have quite a lot of them on my internal sensor, all coming from port 80, I
> took a look at the payload and it doesn't explain much to me.....
> Would it be O.K to say that those are false alarms generated from nrmal http
> traffic?
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users