[Snort-users] "SHELLCODE x86 NOOP" from presumably non dangerous addresses

Guillaume guillaume at ...4029...
Fri Nov 30 03:29:05 EST 2001


En réponse à Roberto Suarez Soto <robe at ...3881...>:

> Hi, 
> 
> 	I'm receiving several "SHELLCODE x86 NOOP" alerts from addresses like
> "law2-www.hotmail.com" and another one in akamai (presumably, one of
> those used in ad banners: a62-41-13-32.deploy.akamaitechnologies.com). Is
> there a non-paranoid explanation of what could be happening?
> 
> 	I think that maybe the transmission of some gif/jpg or some attach
> could trigger the alert, but I'm not very sure.

I do confirm: I already noticed that this alert appeared during FTP file 
transfers. The non-paranoid explanation being that the pattern (90 90 90 90 90 
90 90 90 90 90 90 90 90 90) could be found in regular binary files.

You should always take a look at the packet load when such an alert based on 
just that kind of content is triggered: I was about sending a furious e-mail to 
some sysadmin after having seen tons of this alert when I saw that it was just 
one of our clients transfering binary files to his website....


Guillaume

***********************************
Sent with HORDE/IMP (www.horde.org)




More information about the Snort-users mailing list