[Snort-users] Snort generates alerts when I use rsync to download files

carlopmart carlopmart at ...11827...
Tue Sep 16 10:19:13 EDT 2008


Please, any hints??

carlopmart wrote:
> Thanks Matt,
> 
>  I have attached pcap file generated by snort. I can see this:
> 
>  01b0  42 bf df 2f 84 10 42 08  21 84 10 42 43 43 43 43   B../..B. !..BCCCC
> 01c0  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43   CCCCCCCC CCCCCCCC
> 01d0  43 43 43 43 43 ee 1a 42  08 f9 77 f7 7b 7c a7 c7   CCCCC..B ..w.{|..
> 
>  That corresponds to shellcode.rules as a: "(msg:"SHELLCODE x86 inc ebx 
> NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; 
> sid:1390; rev:6;)", but this is a .rpm file ....
> 
> Matt Olney wrote:
>> We'd need to see the data portion of the PCAP to give you a precise 
>> answer.
>>  
>> In a happy world, one of the benign files you downloaded had a long 
>> sequence of 0x43.  This sequence can be used as a NOP sled for 
>> exploits that are a little 'mushy' on their targets.  It is possible 
>> for this sequence to occur in the wild and it be nothing, but 
>> generally if you get a shellcode alert, you need to look closely at 
>> the payload and ensure it is what it should be.
>>  
>> In an unhappy world, that long sequence of 0x43 is a NOP sled, and 
>> you're now a bot.
>>  
>> Matt
>>
>> On Mon, Sep 15, 2008 at 9:41 AM, carlopmart <carlopmart at ...11827... 
>> <mailto:carlopmart at ...11827...>> wrote:
>>
>>     Hi all,
>>
>>      I am using snort on my laptop as a test lab. When I try to download
>>     files from
>>     Internet, Snort displays this alert:
>>
>>     09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86 inc ebx
>>     NOOP [**]
>>     [Classification: Executable code was detected] [Priority: 1] {TCP}
>>     193.109.191.9:873 <http://193.109.191.9:873/> -> 10.38.55.4:53662
>>     <http://10.38.55.4:53662/>
>>
>>     Why is this alert genereated?? I am downloading .rpm, .xml, and .gz
>>     files ...
>>
>>
>>     --
>>     CL Martinez
>>     carlopmart {at} gmail {d0t} com
>>
>>     
>> -------------------------------------------------------------------------
>>     This SF.Net email is sponsored by the Moblin Your Move Developer's
>>     challenge
>>     Build the coolest Linux based applications with Moblin SDK & win
>>     great prizes
>>     Grand prize is a trip for two to an Open Source event anywhere in
>>     the world
>>     http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.sourceforge.net
>>     <mailto:Snort-users at lists.sourceforge.net>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>     Snort-users
>>     <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
>>     list archive:
>>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
> 
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com




More information about the Snort-users mailing list