[Snort-users] shellcode alerts on src port 80

Chris Green cmg at ...1935...
Thu Sep 26 06:57:04 EDT 2002


Ted Stringer <teds at ...5847...> writes:

> I am running rh7.3 linux, snort 1.8.7, acid0.9.6, and I am getting a lot
> of shellcode alerts.  All of them are from legit http traffic from http
> servers.  I thought that the "!" was the not operator.  The shelcode
> variable is set to "!80" just the way it comes in the default settings.
>
> I hope someone can tell me what is wrong or at least point me in the
> right direction.

You probably don't have your $EXTERNAL_NET set correctly.  The !80 is
on the destination port
-- 
Chris Green <cmg at ...1935...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list