SHELLCODE x86 NOOP, Snort alert, what would you do?

david lang_2 · ‎01-19-2005

Hello,
I have an entry in my Snort log that looks like this:

SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 207.218.97.235:3415 -> My_IP_Address:80

Beside the obvious like keeping software up-to-date, what would you do to respond to these kinds of activities?

Would you block 207.218.97.0/22 ?

What else?

Thanks.

Dave Falloon · ‎01-20-2005

Snort is telling you that someone connected and sent you a NOOP sled to shellcode, used in buffer overflow exploits. The thing I would do is look up where the IP address is registed, in this case:

styx:~$ whois 207.218.97.235

OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US

Then I'd give them a call/email and tell them about the logs, usually they drop the hammer for you. If you see a lot of traffic from this IP you'll wanna deep six it at your perimeter router.

--Dave

Clothes make the man, Naked people have little to no effect on society

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

SHELLCODE x86 NOOP, Snort alert, what would you do?

SHELLCODE x86 NOOP, Snort alert, what would you do?

Re: SHELLCODE x86 NOOP, Snort alert, what would you do?