• [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] 
    [ Classification: Executable code was detected ] [ Priority: 1 ] 
    08/26-17:01:13.529893 76.13.222.11:80 -> 192.168.1.116:2242
    TCP TTL:50 TOS:0x0 ID:51697 IpLen:20 DgmLen:1500 DF
    A* Seq: 0x9D906BC3 Ack: 0xBCE41C8A Win: 0x3908 TcpLen: 20

    Hello to all.

    I have just installed snort and finally, it was able to update the rules and now, I have alerts galore. Several of the alerts are of the type indicated above. I have snort configured for LAN use only. I then take the external IP addresses from the alerts and block then in the WAN firewall rules. However, the alerts keep coming in.

    What does this mean? How are they penetrating the firewall despite being blocked at the port of entry? Am I missing an important concept here?

    oh yes, I have also checked the system log for the firewall entries, but I have to assume if I see the entries in the firewall log then I shouldn't see them as alerts on snort because snort is looking at LAN traffic. Am I correct?

    thanks for your help
    Jits.

  • Rebel Alliance Developer Netgate

    That particular alert, if memory serves, just indicates that someone downloaded an .exe file from a web site.

    Note that the remote side is port 80 (http).

    That is one of many rules that tends to be a little overzealous with alerting, imho, but some people are strict about such things.


  • jits, a "SHELLCODE x86" alert means that snort has detected binary code in your internet traffic.
    Binary code is in all kinds of http traffic like flash videos, images but, in rare instances it can be a sign of an attack
    like a buffer overflow.

    The alert you have sounds like a false positive since the alert originates from port 80 (http server).

    Add a threshold that ignores SHELLCODE x86 alerts that originate from port 80.

    James