Ed was able to send the Handlers some packets of the data he was looking at.
The packets we received appear to be a Freebsd iso download from one of freebsd mirrors, so these particular alerts from Snort appear to be false positives. SHELLCODE rules can generate alot of false positives, because the detect is such a simple payload. It is more reliable to use other detection rules in conjunction with SHELLCODE rules, on order to get a full picture. Snort.org + Sourcefire know this, and that's why the rules are disabled by default. Finally, as with any rule in Snort, make sure to read the documentation paying particular attention to the false positive section.
As a reminder, when submitting Snort alerts, or other packets to ISC Handlers, please, we need full packet captures. Not only alerts from Snort (such as logging in tcpdump mode), but to better assist you, we need full stream. (Syn, Syn, Ack, Ack.. the whole conversation!) Packets that we get that are in context (full packet capture), are 10x better then just one sided alerts.
Aug 26th 2006
1 decade ago