[Snort-users] No ports listed for SHELLCODE x86 NOOP

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...11338...
Tue Sep 14 05:59:30 EDT 2004


Hello All -

My snort sensor is running snort-2.2.0 on Solaris 9. I'm seeing a problem with some of my "SHELLCODE x86 NOOP" events not having port numbers listed:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624643 220.246.35.35 -> 192.233.11.147
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1356 MF
Frag Offset: 0x0000   Frag Size: 0x0538

The port number does not show up in the ACID database either.  Funny thing is that many of these events do have port numbers:

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
09/14-06:38:39.624796 220.246.35.35:1995 -> 192.233.11.147:80
TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1500
***A**** Seq: 0x4B6D415B  Ack: 0x7C5136E  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

Bug?  Or is there something I don't understand?  I may just shut this rule off, since I don't have any x86 based machines. However, we like to run will all rules enabled, to understand what attacks are being launched, and then use custom scripts to post-process that data.

Thanks in advance! :)






More information about the Snort-users mailing list