[Snort-users] Snort generates alerts when I use rsync to download files

carlopmart carlopmart at ...11827...
Mon Sep 15 09:57:57 EDT 2008


Thanks Matt,

  I have attached pcap file generated by snort. I can see this:

  01b0  42 bf df 2f 84 10 42 08  21 84 10 42 43 43 43 43   B../..B. !..BCCCC
01c0  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43   CCCCCCCC CCCCCCCC
01d0  43 43 43 43 43 ee 1a 42  08 f9 77 f7 7b 7c a7 c7   CCCCC..B ..w.{|..

  That corresponds to shellcode.rules as a: "(msg:"SHELLCODE x86 inc ebx NOOP"; 
content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; 
rev:6;)", but this is a .rpm file ....

Matt Olney wrote:
> We'd need to see the data portion of the PCAP to give you a precise answer.
>  
> In a happy world, one of the benign files you downloaded had a long 
> sequence of 0x43.  This sequence can be used as a NOP sled for exploits 
> that are a little 'mushy' on their targets.  It is possible for this 
> sequence to occur in the wild and it be nothing, but generally if you 
> get a shellcode alert, you need to look closely at the payload and 
> ensure it is what it should be.
>  
> In an unhappy world, that long sequence of 0x43 is a NOP sled, and 
> you're now a bot.
>  
> Matt
> 
> On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart at ...11827... 
> <mailto:carlopmart at ...11827...>> wrote:
> 
>     Hi all,
> 
>      I am using snort on my laptop as a test lab. When I try to download
>     files from
>     Internet, Snort displays this alert:
> 
>     09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx
>     NOOP [**]
>     [Classification: Executable code was detected] [Priority: 1] {TCP}
>     193.109.191.9:873 <http://193.109.191.9:873/> -> 10.38.55.4:53662
>     <http://10.38.55.4:53662/>
> 
>     Why is this alert genereated?? I am downloading .rpm, .xml, and .gz
>     files ...
> 
> 
>     --
>     CL Martinez
>     carlopmart {at} gmail {d0t} com
> 
>     -------------------------------------------------------------------------
>     This SF.Net email is sponsored by the Moblin Your Move Developer's
>     challenge
>     Build the coolest Linux based applications with Moblin SDK & win
>     great prizes
>     Grand prize is a trip for two to an Open Source event anywhere in
>     the world
>     http://moblin-contest.org/redirect.php?banner_id=100&url=/
>     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users
>     <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
>     list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.log.1221472872
Type: application/octet-stream
Size: 34708 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080915/e4bcf4fc/attachment.obj>


More information about the Snort-users mailing list