Bill Borton <bbortonat_private> writes: > Hi all, > > My apologies if this is something obvious/normal/stupid > > Does anyone recognize this? > I have 7 more packets that followed... > > [**] OVERFLOW-NOOP-X86 [**] > 04/12-13:06:18.115861 remote.machine:60151 -> my.machine:2278 > TCP TTL:49 TOS:0x10 ID:10313 DF > *****PA* Seq: 0xA1DC9368 Ack: 0xA0A07E88 Win: 0x7D78 > TCP Options => NOP NOP TS: 136676210 87196521 What follows is a portion of one of the binaries from the anaconda program, RedHat's new python/gtk-based installation program. Specifically, the "modlist" util. Let me guess: at the time this occurred you were FTPing in the latest RedHat ISO image, or at least were retrieving files out of the source tree of anaconda, which seems to include compiled versions of some of the C programs. (see, for example, http://www.trustix.net/pub/Trustix/trustix-1.2/i586/misc/src/anaconda/utils/) What happened is that snort detected a bunch of executeable code flying over the wire, and naturally generated an alert since such activity can indicate that someone is force-feeding their own code to a program with an exploitable overflow. However, in this case the reason was likely that you were FTPing an uncompressed executeable. Note that this wouldn't happen with source RPMs or binary RPMs as those contain compressed data. However, a raw ISO image does contain uncompressed versions of programs which are supposed to be executed directly from the CD.
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 13:39:33 PDT