Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Are these guys THAT good?

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jits
      last edited by

      [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] 
      [ Classification: Executable code was detected ] [ Priority: 1 ] 
      08/26-17:01:13.529893 76.13.222.11:80 -> 192.168.1.116:2242
      TCP TTL:50 TOS:0x0 ID:51697 IpLen:20 DgmLen:1500 DF
      A* Seq: 0x9D906BC3 Ack: 0xBCE41C8A Win: 0x3908 TcpLen: 20

      Hello to all.

      I have just installed snort and finally, it was able to update the rules and now, I have alerts galore. Several of the alerts are of the type indicated above. I have snort configured for LAN use only. I then take the external IP addresses from the alerts and block then in the WAN firewall rules. However, the alerts keep coming in.

      What does this mean? How are they penetrating the firewall despite being blocked at the port of entry? Am I missing an important concept here?

      oh yes, I have also checked the system log for the firewall entries, but I have to assume if I see the entries in the firewall log then I shouldn't see them as alerts on snort because snort is looking at LAN traffic. Am I correct?

      thanks for your help
      Jits.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        That particular alert, if memory serves, just indicates that someone downloaded an .exe file from a web site.

        Note that the remote side is port 80 (http).

        That is one of many rules that tends to be a little overzealous with alerting, imho, but some people are strict about such things.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J Offline
          jamesdean
          last edited by

          jits, a "SHELLCODE x86" alert means that snort has detected binary code in your internet traffic.
          Binary code is in all kinds of http traffic like flash videos, images but, in rare instances it can be a sign of an attack
          like a buffer overflow.

          The alert you have sounds like a false positive since the alert originates from port 80 (http server).

          Add a threshold that ignores SHELLCODE x86 alerts that originate from port 80.

          James

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.