[Snort-users] unicode BUFFER OVERFLOW ATTACK

Matt Hand matt at ...1740...
Wed Apr 4 11:49:20 EDT 2001


  I've seen a couple of what I believe are false alerts from 216.105.166.25 (www.heavy.com).

Some connections to the address generate alerts like the following:

Apr  3 17:56:52 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 216.105.166.25:80 -> 192.168.1.26:2063
Apr  3 17:57:00 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 216.105.166.25:80 -> 192.168.1.26:2063

  The entire site is Flash heavy and has some sort of stream audio via Flash. Any ideas reagrding tuning up my ruleset or do I have a surreptitious attack to deal with?

Thanks, 

Matt Hand
matt at ...1740...
212.771.1700 ext.200





More information about the Snort-users mailing list