[Snort-users] shellcode error

Erek Adams erek at ...577...
Fri May 31 08:25:06 EDT 2002


On Fri, 31 May 2002, Hugo Ferr wrote:

> Just out of curiosity - why !80, I was getting quite a lot of false
> positives for shellcode on port 80, is that the number of false positives is
> the reason for !80?

Yes.  Something as simple as a .GIF, .JPG, .EXE, etc. could set off those
rules.  It would be nice to put FTP in there, but since the data channel is on
a random high port, it can't be.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list