Snort mailing list archives
Re: Fwd: Snort catching backup as alert?
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 24 Aug 2013 20:45:37 -0400
On 8/19/2013 12:26, Alexandre Carmel-Veilleux wrote:
Hi, The shellcode detector is a frequent source of false positives. It's basically only matching strings of letters / characters that frequently happen in shellcodes in any network packet. Most of the better exploitation tools out there can randomize their shell codes avoiding this rule altogether. This is basically designed to catch very low hanging fruits (like some bad automated scanners). You can reduce the impact by making sure both your servers are in $HOME_NET's IP range. Possibly encrypting the backups you do will modify the character signature enough as well. Otherwise, be somewhat skeptical of that alert.
agreed completely! :) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
- Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)