topic Re: SHELLCODE x86 NOOP, Snort alert, what would you do? in Secure OS Software for Linux https://community.hpe.com/t5/secure-os-software-for-linux/shellcode-x86-noop-snort-alert-what-would-you-do/m-p/3467016#M393 Snort is telling you that someone connected and sent you a NOOP sled to shellcode, used in buffer overflow exploits. The thing I would do is look up where the IP address is registed, in this case:<BR /><BR />styx:~$ whois 207.218.97.235<BR /><BR />OrgName: Global Crossing<BR />OrgID: GBLX<BR />Address: 14605 South 50th Street<BR />City: Phoenix<BR />StateProv: AZ<BR />PostalCode: 85044-6471<BR />Country: US<BR /><BR />Then I'd give them a call/email and tell them about the logs, usually they drop the hammer for you. If you see a lot of traffic from this IP you'll wanna deep six it at your perimeter router.<BR /><BR />--Dave<BR /> Thu, 20 Jan 2005 20:17:46 GMT Dave Falloon 2005-01-20T20:17:46Z SHELLCODE x86 NOOP, Snort alert, what would you do? https://community.hpe.com/t5/secure-os-software-for-linux/shellcode-x86-noop-snort-alert-what-would-you-do/m-p/3467015#M392 Hello,<BR />I have an entry in my Snort log that looks like this:<BR /><BR />SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 207.218.97.235:3415 -&gt; My_IP_Address:80<BR /><BR /><BR />Beside the obvious like keeping software up-to-date, what would you do to respond to these kinds of activities?<BR /><BR />Would you block 207.218.97.0/22 ?<BR /><BR /><BR />What else?<BR /><BR />Thanks. Wed, 19 Jan 2005 19:51:45 GMT https://community.hpe.com/t5/secure-os-software-for-linux/shellcode-x86-noop-snort-alert-what-would-you-do/m-p/3467015#M392 david lang_2 2005-01-19T19:51:45Z Re: SHELLCODE x86 NOOP, Snort alert, what would you do? https://community.hpe.com/t5/secure-os-software-for-linux/shellcode-x86-noop-snort-alert-what-would-you-do/m-p/3467016#M393 Snort is telling you that someone connected and sent you a NOOP sled to shellcode, used in buffer overflow exploits. The thing I would do is look up where the IP address is registed, in this case:<BR /><BR />styx:~$ whois 207.218.97.235<BR /><BR />OrgName: Global Crossing<BR />OrgID: GBLX<BR />Address: 14605 South 50th Street<BR />City: Phoenix<BR />StateProv: AZ<BR />PostalCode: 85044-6471<BR />Country: US<BR /><BR />Then I'd give them a call/email and tell them about the logs, usually they drop the hammer for you. If you see a lot of traffic from this IP you'll wanna deep six it at your perimeter router.<BR /><BR />--Dave<BR /> Thu, 20 Jan 2005 20:17:46 GMT https://community.hpe.com/t5/secure-os-software-for-linux/shellcode-x86-noop-snort-alert-what-would-you-do/m-p/3467016#M393 Dave Falloon 2005-01-20T20:17:46Z