[Snort-users] Alerts are almost entirely "Executable Code was Detected"

Steve Marotta smarotta at ...16014...
Thu Dec 20 11:27:21 EST 2012

I'm looking at my alerts file that I generated from a pcap dump, and it's full of nothing but "Executable Code was Detected". This is the case for just about every pcap file that I give it, with maybe only one or two other events thrown in there. I realize it's entirely possible that that's valid output, but with all of the rules in the rule set I'm using, I'd have expected more variety than that.

I'm using the 2.9.3 rules set provided on the Snort website. I can provide my snort.conf file if need be.

THIS MESSAGE IS INTENDED FOR THE USE OF THE PERSON TO WHOM IT IS ADDRESSED. IT MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If you are not the intended recipient, your use of this message for any purpose is strictly prohibited. If you have received this communication in error, please delete the message and notify the sender so that we may correct our records.

More information about the Snort-users mailing list