[Snort-users] unicode BUFFER OVERFLOW ATTACK

Fyodor fygrave at ...121...
Wed Apr 4 13:16:36 EDT 2001


On Wed, Apr 04, 2001 at 10:49:20AM -0500, Matt Hand wrote:
>   I've seen a couple of what I believe are false alerts from 216.105.166.25 (www.heavy.com).
> 
> Some connections to the address generate alerts like the following:
> 
> Apr  3 17:56:52 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 216.105.166.25:80 -> 192.168.1.26:2063
> Apr  3 17:57:00 baywatch snort: x86 NOOP - unicode BUFFER OVERFLOW ATTACK: 216.105.166.25:80 -> 192.168.1.26:2063
> 
>   The entire site is Flash heavy and has some sort of stream audio via Flash. Any ideas reagrding tuning up my ruleset or do I have a surreptitious attack to deal with?
> 

Probably your streaming flash/audio has a lot of 0x90 characters in it. That's what may trigger the rule.. 




More information about the Snort-users mailing list