[Snort-users] unicode BUFFER OVERFLOW ATTACK
fygrave at ...121...
Wed Apr 4 13:16:36 EDT 2001
On Wed, Apr 04, 2001 at 10:49:20AM -0500, Matt Hand wrote:
> I've seen a couple of what I believe are false alerts from 22.214.171.124 (www.heavy.com).
> Some connections to the address generate alerts like the following:
> Apr 3 17:56:52 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 126.96.36.199:80 -> 192.168.1.26:2063
> Apr 3 17:57:00 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 188.8.131.52:80 -> 192.168.1.26:2063
> The entire site is Flash heavy and has some sort of stream audio via Flash. Any ideas reagrding tuning up my ruleset or do I have a surreptitious attack to deal with?
Probably your streaming flash/audio has a lot of 0x90 characters in it. That's what may trigger the rule..
More information about the Snort-users