[Snort-users] [**] IDS181 - MISC - Shellcode X86 NOPS [**] - lots of false posi tives

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 14:26:24 EDT 2000


[**] IDS181 - MISC - Shellcode X86 NOPS [**]

I´m getting a lot of false positives on this one from what seems to be ftp
traffic.
It seems to detect this *a lot* on file transfers as noop code is not
unusual in files transfered.
It seems to trigger a lot especially when downloading iso images for various
distributions. This *MAY* be my imagination. 

The weird thing is that the data in ftp should go over UDP and the signature
is TCP, so why Im I getting these positives?

There is a "NOOP" thing that ftp clients send to keep a server connection
up, does this mean the client sends loads of "90 90 90 90 90 90 90" etc? It
should go over the tcp command connection so that could be it.

I´d love to filter this out some more but the signature triggers on "random"
high ports so a filter with
pass tcp xxx.xxx.xxx.xxx 21 <> any any
wouldn´t work right?

/Erik



More information about the Snort-users mailing list