[Snort-users] SHELLCODE x86 NOOP
jeff at ...950...
Thu Mar 7 12:47:52 EST 2002
The snort rule in question looks for a series of 12 x86 NOOP
instructions (0x90) in a row.
It is possible that the alerts generated from port 80 are the result of
a gif file containing a series of 0x90 bytes within its color table.
This could trigger a false alarm. I'm not familiar with jpg files but
they too may have a color table.
There are a number of other possibilities, this is just one explanation.
Basil Saragoza wrote:
> I have quite a lot of them on my internal sensor, all coming from port 80, I
> took a look at the payload and it doesn't explain much to me.....
> Would it be O.K to say that those are false alarms generated from nrmal http
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
http://jeff.wwti.com (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
More information about the Snort-users