Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

SHELLCODE x86 NOOP, Snort alert, what would you do?

david lang_2
Occasional Visitor

SHELLCODE x86 NOOP, Snort alert, what would you do?

Hello,
I have an entry in my Snort log that looks like this:

SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 207.218.97.235:3415 -> My_IP_Address:80


Beside the obvious like keeping software up-to-date, what would you do to respond to these kinds of activities?

Would you block 207.218.97.0/22 ?


What else?

Thanks.
1 REPLY
Dave Falloon
Trusted Contributor

Re: SHELLCODE x86 NOOP, Snort alert, what would you do?

Snort is telling you that someone connected and sent you a NOOP sled to shellcode, used in buffer overflow exploits. The thing I would do is look up where the IP address is registed, in this case:

styx:~$ whois 207.218.97.235

OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US

Then I'd give them a call/email and tell them about the logs, usually they drop the hammer for you. If you see a lot of traffic from this IP you'll wanna deep six it at your perimeter router.

--Dave
Clothes make the man, Naked people have little to no effect on society