Re: Fwd: Snort catching backup as alert?

[waldo kitty <wkitty42 () windstream net>]

On 8/19/2013 12:26, Alexandre Carmel-Veilleux wrote:
> Hi,
>
> The shellcode detector is a frequent source of false positives. It's basically
> only matching strings of letters / characters that frequently happen in
> shellcodes in any network packet. Most of the better exploitation tools out
> there can randomize their shell codes avoiding this rule altogether. This is
> basically designed to catch very low hanging fruits (like some bad automated
> scanners).
>
> You can reduce the impact by making sure both your servers are in $HOME_NET's IP
> range. Possibly encrypting the backups you do will modify the character
> signature enough as well. Otherwise, be somewhat skeptical of that alert.

agreed completely! :)


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!