Snort mailing list archives
Re: shellcode alerts on src port 80
From: Chris Green <cmg () sourcefire com>
Date: Thu, 26 Sep 2002 09:55:29 -0400
Ted Stringer <teds () lancasterlawyers com> writes:
I am running rh7.3 linux, snort 1.8.7, acid0.9.6, and I am getting a lot of shellcode alerts. All of them are from legit http traffic from http servers. I thought that the "!" was the not operator. The shelcode variable is set to "!80" just the way it comes in the default settings. I hope someone can tell me what is wrong or at least point me in the right direction.
You probably don't have your $EXTERNAL_NET set correctly. The !80 is on the destination port -- Chris Green <cmg () sourcefire com> "I'm beginning to think that my router may be confused." ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why are there no open source GUI's for managing multiple Snort sensors? Carl Samond (Sep 25)
- <Possible follow-ups>
- Why are there no open source GUI's for managing multiple Snort sensors? Ron Shuck (Sep 26)
- shellcode alerts on src port 80 Ted Stringer (Sep 26)
- Re: shellcode alerts on src port 80 Chris Green (Sep 26)
- shellcode alerts on src port 80 Ted Stringer (Sep 26)