Snort mailing list archives

Re: shellcode alerts on src port 80

From: Chris Green <cmg () sourcefire com>
Date: Thu, 26 Sep 2002 09:55:29 -0400

Ted Stringer <teds () lancasterlawyers com> writes:

I am running rh7.3 linux, snort 1.8.7, acid0.9.6, and I am getting a lot
of shellcode alerts.  All of them are from legit http traffic from http
servers.  I thought that the "!" was the not operator.  The shelcode
variable is set to "!80" just the way it comes in the default settings.

I hope someone can tell me what is wrong or at least point me in the
right direction.


You probably don't have your $EXTERNAL_NET set correctly.  The !80 is
on the destination port
-- 
Chris Green <cmg () sourcefire com>
"I'm beginning to think that my router may be confused."


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Why are there no open source GUI's for managing multiple Snort sensors? Carl Samond (Sep 25)
- Re: Why are there no open source GUI's for managing multiple Snort sensors? twig les (Sep 25)
- <Possible follow-ups>
- Why are there no open source GUI's for managing multiple Snort sensors? Ron Shuck (Sep 26)
  - shellcode alerts on src port 80 Ted Stringer (Sep 26)
    - Re: shellcode alerts on src port 80 Chris Green (Sep 26)