Snort mailing list archives
Re: SHELLCODE x86 NOOP
From: Jeff Nathan <jeff () snort org>
Date: Thu, 07 Mar 2002 12:41:01 -0800
The snort rule in question looks for a series of 12 x86 NOOP instructions (0x90) in a row. It is possible that the alerts generated from port 80 are the result of a gif file containing a series of 0x90 bytes within its color table. This could trigger a false alarm. I'm not familiar with jpg files but they too may have a color table. There are a number of other possibilities, this is just one explanation. -Jeff Basil Saragoza wrote:
I have quite a lot of them on my internal sensor, all coming from port 80, I took a look at the payload and it doesn't explain much to me..... Would it be O.K to say that those are false alarms generated from nrmal http traffic? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SHELLCODE x86 NOOP Basil Saragoza (Mar 07)
- Re: SHELLCODE x86 NOOP Jeff Nathan (Mar 07)