[Snort-users] Pass rule not working

Tony Wong tony.wong at ...5535...
Thu Sep 5 17:24:07 EDT 2002


I have the following pass rules in 

Shellcode.rules

pass tcp mysubnet/21 any -> mysubnet/21 $SHELLCODE_PORTS (msg:"SHELLCODE
x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436;
classtype:system-call-det......

pass tcp mysubnet/21 any -> mysubnet/21 $SHELLCODE_PORTS (msg:"SHELLCODE
x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
depth: 128; reference:$..........

pass tcp 171.64.184.0/21 any -> mysubnet/21 $SHELLCODE_PORTS
(msg:"SHELLCODE x86 NOOP"; content: "|61 61 61 61 61 61 61 61 61 61 61
61 61 61 61 61 61 61 61 61 61|"; c$............


But I am still getting these SHELLCODE x86 alerts in ACID.

Any ideas?





More information about the Snort-users mailing list