Snort mailing list archives
Re: Snort generates alerts when I use rsync to download files
From: carlopmart <carlopmart () gmail com>
Date: Tue, 16 Sep 2008 16:19:13 +0200
Please, any hints?? carlopmart wrote:
Thanks Matt, I have attached pcap file generated by snort. I can see this: 01b0 42 bf df 2f 84 10 42 08 21 84 10 42 43 43 43 43 B../..B. !..BCCCC 01c0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCC CCCCCCCC 01d0 43 43 43 43 43 ee 1a 42 08 f9 77 f7 7b 7c a7 c7 CCCCC..B ..w.{|.. That corresponds to shellcode.rules as a: "(msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:6;)", but this is a .rpm file .... Matt Olney wrote:We'd need to see the data portion of the PCAP to give you a precise answer. In a happy world, one of the benign files you downloaded had a long sequence of 0x43. This sequence can be used as a NOP sled for exploits that are a little 'mushy' on their targets. It is possible for this sequence to occur in the wild and it be nothing, but generally if you get a shellcode alert, you need to look closely at the payload and ensure it is what it should be. In an unhappy world, that long sequence of 0x43 is a NOP sled, and you're now a bot. Matt On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart () gmail com <mailto:carlopmart () gmail com>> wrote: Hi all, I am using snort on my laptop as a test lab. When I try to download files from Internet, Snort displays this alert: 09/15-14:44:36.373001 [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 193.109.191.9:873 <http://193.109.191.9:873/> -> 10.38.55.4:53662 <http://10.38.55.4:53662/> Why is this alert genereated?? I am downloading .rpm, .xml, and .gz files ... -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ <http://moblin-contest.org/redirect.php?banner_id=100&url=/> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 16)
- Re: Snort generates alerts when I use rsync to download files Alberto Colosi/SI/RM/GSI/it (Sep 16)
- sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 16)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 16)
- Re: sending netlink message: Connection Refused Alberto Colosi/SI/RM/GSI/it (Sep 17)
- Re: sending netlink message: Connection Refused Will Metcalf (Sep 17)
- Re: Snort generates alerts when I use rsync to download files carlopmart (Sep 15)
- Re: Snort generates alerts when I use rsync to download files Matt Olney (Sep 15)