[Snort-users] SHELLCODE x86 NOOP

Jeff Nathan jeff at ...950...
Thu Mar 7 12:47:52 EST 2002

The snort rule in question looks for a series of 12 x86 NOOP
instructions (0x90) in a row. 

It is possible that the alerts generated from port 80 are the result of
a gif file containing a series of 0x90 bytes within its color table. 
This could trigger a false alarm.  I'm not familiar with jpg files but
they too may have a color table.

There are a number of other possibilities, this is just one explanation.


Basil Saragoza wrote:
> I have quite a lot of them on my internal sensor, all coming from port 80, I
> took a look at the payload and it doesn't explain much to me.....
> Would it be O.K to say that those are false alarms generated from nrmal http
> traffic?
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

More information about the Snort-users mailing list