[Snort-users] SHELLCODE x86 NOOP and Novell

Yonah Russ yonah at ...5038...
Thu Feb 21 07:14:54 EST 2002


Has anyone ever noticed that this signature seems to be triggered by NCP
in Netware 5- I just set up a Snort box and I'm getting alerts from
Netware servers originating at port 524, netware's NCP request port.

here is the rule:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;)

is there anyway to make it better and eliminate this false positive
other than telling it to ignore those servers and/or ports?
thanks
Yonah





More information about the Snort-users mailing list