[Snort-users] Alerts are almost entirely "Executable Code was Detected"

Joel Esler jesler at ...1935...
Thu Dec 20 19:22:53 EST 2012


What is the signature identification number you are referring to?

--
Joel Esler
Sent from my iPhone 

On Dec 20, 2012, at 11:27 AM, Steve Marotta <smarotta at ...16014...> wrote:

> I'm looking at my alerts file that I generated from a pcap dump, and it's full of nothing but "Executable Code was Detected". This is the case for just about every pcap file that I give it, with maybe only one or two other events thrown in there. I realize it's entirely possible that that's valid output, but with all of the rules in the rule set I'm using, I'd have expected more variety than that.
> 
> I'm using the 2.9.3 rules set provided on the Snort website. I can provide my snort.conf file if need be.
> 
> 
> 
> 
> 
> THIS MESSAGE IS INTENDED FOR THE USE OF THE PERSON TO WHOM IT IS ADDRESSED. IT MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If you are not the intended recipient, your use of this message for any purpose is strictly prohibited. If you have received this communication in error, please delete the message and notify the sender so that we may correct our records.
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121220/562ef871/attachment.html>


More information about the Snort-users mailing list