[Snort-users] No ports listed for SHELLCODE x86 NOOP

Josh Berry josh.berry at ...10221...
Tue Sep 14 06:59:06 EDT 2004


You aren't seeing port numbers because it is fragmented traffic.  The
TCP headers are not included in packet fragments.


> Hello All -
>
> My snort sensor is running snort-2.2.0 on Solaris 9. I'm seeing a problem
> with some of my "SHELLCODE x86 NOOP" events not having port numbers
> listed:
>
> [**] [1:648:7] SHELLCODE x86 NOOP [**]
> [Classification: Executable code was detected] [Priority: 1]
> 09/14-06:38:39.624643 220.246.35.35 -> 192.233.11.147
> TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1356 MF
> Frag Offset: 0x0000   Frag Size: 0x0538
>
> The port number does not show up in the ACID database either.  Funny thing
> is that many of these events do have port numbers:
>
> [**] [1:648:7] SHELLCODE x86 NOOP [**]
> [Classification: Executable code was detected] [Priority: 1]
> 09/14-06:38:39.624796 220.246.35.35:1995 -> 192.233.11.147:80
> TCP TTL:115 TOS:0x0 ID:31983 IpLen:20 DgmLen:1500
> ***A**** Seq: 0x4B6D415B  Ack: 0x7C5136E  Win: 0xFAF0  TcpLen: 20
> [Xref => http://www.whitehats.com/info/IDS181]
>
> Bug?  Or is there something I don't understand?  I may just shut this rule
> off, since I don't have any x86 based machines. However, we like to run
> will all rules enabled, to understand what attacks are being launched, and
> then use custom scripts to post-process that data.
>
> Thanks in advance! :)
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list