Snort mailing list archives
Re: Heap Spray String Floods
From: Kevin Ross <kevross33 () googlemail com>
Date: Wed, 23 Feb 2011 12:57:44 +0000
As Matt said it looks like you are alerting from BASE. You could access BASE over HTTPS so snort does not alert on the generated web traffic as I assume this is for learning/testing. If it is production then make HOME_NET your internal net in snort.conf and EXTERNAL_NET !HOME_NET so it treats all non-defined home net traffic as external. This is needed for accuracy and performance. You could also look into a physical machine with one interface purely for capture with no IP and settings set for for optimised capture and then have the other for management with an IP but snort does not listen to that interface. As far as the rules are concerned they should be really accurate due to the specific nature of the string. However I have found that the 0c0c0c0c one without any % or %u has several false positives on my work network with PNG images though not sure if that FP is common. All the rest seem fine and worth investigation. On 17 February 2011 16:45, Michael Lubinski <michael.lubinski () gmail com>wrote:
After updating the rules today I have noticed a few hundred and counting ET Heap Spray alerts (see attached picture); My Snort VM is residing at the .200 IP. The laptop I am using is the .104 Anyone have any ideas? I think it is related to the snort signature update, maybe something went amiss, not sure. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Matt Olney (Feb 17)
- Re: Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Matt Olney (Feb 17)
- Re: Heap Spray String Floods Kevin Ross (Feb 23)
- Re: Heap Spray String Floods Matt Olney (Feb 17)