This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange IPS detection v6.004

Since 2 weeks ago i'm getting everyday a ton of these hits:

Message........: SHELLCODE x86 NOOP
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=1394
Time...........: 2005:09:26-12:25:24
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Executable code was detected IP protocol....: 6 (TCP)

Source IP address: [Astaro internal IP address] (hostname)
Source port: 8080 (http-alt)
Destination IP address: [one of the PC in the LAN]
Destination port: 2206

how can i be getting these kind of packets originating in the http proxy of astaro?
what might be causing them?

This thread was automatically locked due to age.

0 NimmdirKeks over 20 years ago

Hi,

most likely, someone in your local network ist using the proxy to make a request to a system on your local network.
Mostly this comes from not using the, "don't use proxy for local network" features of the browsers.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 firebear_01 over 20 years ago

Hi,
this message appears if in the answer to a packet that was send over your internal proxy to the internet.
The client in your network sends his requests to the proxy.
The proxy sends this requests to the server in the internet.
The server in the internet sends the answers to the proxy.
By the transfer through the proxy (firewall) the packets are detected by snort.

Thats all

firebear
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago

Shellcode IPS rules are very prone to false positives, particularly with downloads from HTTP and FTP Sites... I've had to disable that whole category myself.
Cancel
Vote Up 0 Vote Down

Cancel