# snort - SHELLCODE x86 NOOP alerts

## ddaas

Hi,

Yesterday I've installed snort+base on my main Linux server.

Today snort triggered cca. 10 thousands alerts in less that 10 min.

[arachNIDS] [snort] SHELLCODE x86 NOOP shellcode-detect 10639(97%) 1 1 1 2005-06-15 11:16:36 2005-06-15 11:32:32

What could it be?

Always the SRC IP is my server with Source Port 139 and the destination address is a windows client on the LAN. What do you thing? Is it a false positive or should I worry?

Anyway I suspect that windows client of some illegal activity from a while...

Payload:

length = 1239

000 : F8 13 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

010 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

020 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

030 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

040 : CC CC CC CC CC CC CC 56 8B F1 E8 8A A9 F9 FF 8B .......V........

050 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

060 : E8 74 A9 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 .t............xX

070 : E8 64 A9 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 14 .d..........D.\.

080 : 00 00 00 8B CE E8 B3 7C F9 FF 5F 5E C3 90 90 90 .......|.._^....

090 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

0a0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

0b0 : CC CC CC CC CC CC CC 56 57 8B F1 E8 19 A9 F9 FF .......VW.......

0c0 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 09 A9 F9 FF .........xX.....

0d0 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.

0e0 : F8 14 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

0f0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

100 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

120 : CC CC CC CC CC CC CC 56 8B F1 E8 AA A8 F9 FF 8B .......V........

130 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

140 : E8 94 A8 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX

150 : E8 84 A8 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 16 ............D.\.

160 : 00 00 00 8B CE E8 D3 7B F9 FF 5F 5E C3 90 90 90 .......{.._^....

170 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

180 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

190 : CC CC CC CC CC CC CC 56 57 8B F1 E8 39 A8 F9 FF .......VW...9...

1a0 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 29 A8 F9 FF .........xX.)...

1b0 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.

1c0 : F8 16 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

1d0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

1e0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

1f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

200 : CC CC CC CC CC CC CC 56 8B F1 E8 CA A7 F9 FF 8B .......V........

210 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

220 : E8 B4 A7 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX

230 : E8 A4 A7 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 15 ............D.\.

240 : 00 00 00 8B CE E8 F3 7A F9 FF 5F 5E C3 90 90 90 .......z.._^....

250 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

260 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

270 : CC CC CC CC CC CC CC 56 57 8B F1 E8 59 A7 F9 FF .......VW...Y...

280 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 49 A7 F9 FF .........xX.I...

290 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.

2a0 : F8 15 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

2b0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

2c0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

2d0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

2e0 : CC CC CC CC CC CC CC 56 8B F1 E8 EA A6 F9 FF 8B .......V........

2f0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

300 : E8 D4 A6 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX

310 : E8 C4 A6 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 0C ............D.\.

320 : 00 00 00 8B CE E8 13 7A F9 FF 5F 5E C3 90 90 90 .......z.._^....

330 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

340 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

350 : CC CC CC CC CC CC CC 56 57 8B F1 E8 79 A6 F9 FF .......VW...y...

360 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 69 A6 F9 FF .........xX.i...

370 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.

380 : F8 0C 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

390 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

3a0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

3b0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

3c0 : CC CC CC CC CC CC CC 56 8B F1 E8 0A A6 F9 FF 8B .......V........

3d0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

3e0 : E8 F4 A5 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX

3f0 : E8 E4 A5 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 0D ............D.\.

400 : 00 00 00 8B CE E8 33 79 F9 FF 5F 5E C3 90 90 90 ......3y.._^....

410 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

420 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

430 : CC CC CC CC CC CC CC 56 57 8B F1 E8 99 A5 F9 FF .......VW.......

440 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 89 A5 F9 FF .........xX.....

450 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.

460 : F8 0D 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....

470 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........

480 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................

490 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................

4a0 : CC CC CC CC CC CC CC 56 8B F1 E8 2A A5 F9 FF 8B .......V...*....

4b0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..

4c0 : E8 14 A5 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX

4d0 : E8 04 A5 F9 FF 8B 88 .......

----------

## nixnut

 *ddaas wrote:*   

> [arachNIDS] [snort] SHELLCODE x86 NOOP shellcode-detect 10639(97%) 1 1 1 2005-06-15 11:16:36 2005-06-15 11:32:32
> 
> What could it be?

 Most likely an attempt (or rather lots of them) to crack your system. Since your system can be reached by such attacks, consider hardening your system if you haven't done so already. Use pax/grsec and compile your binaries wit pie and ssp.

----------

## ddaas

Why do you say it was an attempt to crack my system? Could it not be a false positive?

Snort signature database says:

GEN:SID 1:648

Message SHELLCODE x86 NOOP

[...]

False Positives: The x86 NOP can frequently be found in day-to-day traffic, particularly when transfering large files.

GEN:SID 1:1394

Message SHELLCODE x86 NOOP

[...]

False Positives: High, This event may be generated by applications such as ftp and http when binary data is being transfered.

A false Positive can be generated if the snort sensor detects text from an IRC client or any other application that passes data plaintext. The event is generated if snort detects several (a) characters in a row - such as 'aaaaaaaaaa'.

So, are you sure I should worry?

Did anyone get this kind of alert from snort? What was it all about?

----------

## think4urs11

check the server if any unkown processes are running

check the server ressources (the Samba shares) with anti virus

check the client; maybe it is just opening some file which triggers the event.

check the client with anti spyware/virus

patch the client with all the latest and greatest M$ provides

in general i'd say this is a false positive

----------

## ter_roshak

I would agree that this is probably a false positive.  The port in question is a prime candidate for SMB file transfers that have a very good chance of containing the proper number of consecutive 0x90 bytes that trigger this alert -- and it is coming from your internal network.  I have this alert quite a bit on my own network.  To determine if this might be a problem, I would recommend collecting some full-content data from your server with tcpdump, tethereal, or ethereal so that you can analyze the traffic and pinpoint the culprit.  Try to find out which process is generating this data when you see it alert.  Try to transfer files from your windows machine to your linux machine and back and see if that generates the same alerts.  You may want to go back into your snort config file and adjust your variables for internal and external networks so that you don't alert on shellcode from your internal network since those machines may be expected to transfer such files frequently.

So, the steps that I would most likely take to analyze the problem more thoroughly would be:

1. start capturing data with tcpdump on the server that is generating the alerts, limiting the capture files to 20 MB each

```
tcpdump -s 1515 -C 20 -w content.lpc
```

2. watch for alerts in snort and try to re-create the situation where you received the alerts

3. use ethereal to view the tcpdump captures and analyze the traffic that caused the alerts and verify that it is not malicious

----------

## ddaas

Hi,

Thanks for your advice. I will do that.

One question: why tcpdump -s 1515 -C 20 -w content.lpc

----------

## ter_roshak

 *ddaas wrote:*   

> Hi,
> 
> Thanks for your advice. I will do that.
> 
> One question: why tcpdump -s 1515 -C 20 -w content.lpc

 

By default tcpdump does not collect the full packet, only the first 68 bytes.  The -s 1515 makes sure that on a network with an MTU of 1500 you capture all of the packet.

----------

## ddaas

I have one more question: how can I hide sniffer from a normal user?

they can do: ps -ef . If I do: chmod go-rx ps my suspected user could notice that.

If I run it from a script pstree shows the tcpdump command called by the script.

Maybe this question sounds silly, but it is important to hide the sniffer and I dont figure how right now  :Sad: 

----------

## ter_roshak

 *ddaas wrote:*   

> I have one more question: how can I hide sniffer from a normal user?
> 
> they can do: ps -ef . If I do: chmod go-rx ps my suspected user could notice that.
> 
> If I run it from a script pstree shows the tcpdump command called by the script.
> ...

 

The best way to hide the sniffer is to have it on another machine with access to the suspect machine's network traffic.  You can do this with a hub or possibly at your firewall/gateway device.  You might also want to look into network monitoring with an interface while not actually bringing the interface up -- which is important if you are serious about being able to monitor without getting caught.  A great book that discusses these issues is, "The Tao of Network Security Monitoring", by Richard Bejtlich (http://www.awprofessional.com/bookstore/product.asp?isbn=0321246772&rl=1.

----------

