[Snort-users] Snort generates alerts when I use rsync to download files

Matt Olney molney at ...1935...
Mon Sep 15 09:49:30 EDT 2008


We'd need to see the data portion of the PCAP to give you a precise answer.

In a happy world, one of the benign files you downloaded had a long sequence
of 0x43.  This sequence can be used as a NOP sled for exploits that are a
little 'mushy' on their targets.  It is possible for this sequence to occur
in the wild and it be nothing, but generally if you get a shellcode alert,
you need to look closely at the payload and ensure it is what it should be.

In an unhappy world, that long sequence of 0x43 is a NOP sled, and you're
now a bot.

Matt

On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart at ...11827...> wrote:

> Hi all,
>
>  I am using snort on my laptop as a test lab. When I try to download files
> from
> Internet, Snort displays this alert:
>
> 09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx NOOP
> [**]
> [Classification: Executable code was detected] [Priority: 1] {TCP}
> 193.109.191.9:873 -> 10.38.55.4:53662
>
> Why is this alert genereated?? I am downloading .rpm, .xml, and .gz files
> ...
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080915/bcf9a494/attachment.html>


More information about the Snort-users mailing list