[Snort-users] [**] IDS181 - MISC - Shellcode X86 NOPS [**] - lots of false posi tives

Andreas Maus andreas_maus at ...375...
Mon Sep 25 19:43:26 EDT 2000


Erik Engberg wrote:
> 
> [**] IDS181 - MISC - Shellcode X86 NOPS [**]
> 
> I´m getting a lot of false positives on this one from what seems to be ftp
> traffic.
> It seems to detect this *a lot* on file transfers as noop code is not
> unusual in files transfered.
> It seems to trigger a lot especially when downloading iso images for various
> distributions. This *MAY* be my imagination.
> 
> The weird thing is that the data in ftp should go over UDP and the signature
> is TCP, so why Im I getting these positives?
> 
> There is a "NOOP" thing that ftp clients send to keep a server connection
> up, does this mean the client sends loads of "90 90 90 90 90 90 90" etc? It
> should go over the tcp command connection so that could be it.
No,no,no,no,no.... :-)
The NOOP command is a special FTP command and it is system independent.
The NOP that triggers that rule is a assembler command (with the opcode
90) for 
x86 (and 8088) processors. Using in a program it instructs the processor
to do...well 
nothing (you guessed it :-). It is usually used in programs to pad code
to a specific 
(e.g. word-) boundary.

I'm not familar with the ISO image standard, so I don't know what they
mean in a ISO image...

FTP data may use the UDP, but UDP is a unreliable protocol, so I think
TCP is used as the 
default protocol.

So long...Andreas.

-- 
@---------------------------------------------@
|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
@---------------------------------------------@



More information about the Snort-users mailing list