The source port of 20 indicates an FTP file transfer, the binary data in the
file happened to contain a sequence of bytes which matched the X86 NOPS
signature. The X86 NOP signature is triggered by a large continous chunk of
0x90 characters, so any packet containing those characters will set it off.

-HD

On Wednesday 23 May 2001 06:08 am, Andrew wrote:
> My snort have lots of x86 NOPS alert. Below is a sample dump. Please help
> me interpret this. I would also appreciate it very much if anybody can
> point me to a site where snort log interpretation is explained.
>
>
> [**] EXPLOIT x86 NOOP [**]
> 05/22-09:11:15.415698 0:1:2:24:42:3B -> 0:50:DA:63:B3:AF type:0x800
> len:0x5EA
> my.snort.machines.ip:20 -> my.nt.workstations.ip:2462 TCP TTL:64 TOS:0x0
> ID:36431 IpLen:20 DgmLen:1500
> ***A**** Seq: 0x1DDC6CA3 Ack: 0x10CE4C Win: 0x4470 TcpLen: 20
> 8B 8D 4C FF FF FF 01 F9 B8 35 8F 46 9E F7 E9 89 ..L......5.F....
> 95 48 FF FF FF 01 CA 89 95 58 FF FF FF C1 BD 58 .H.......X.....X
> FF FF FF 0F 89 CA C1 FA 1F 29 95 58 FF FF FF 83 .........).X....
>[ snipped ]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]