03-30-2018 09:17 AM
Where can I go/should I go to decode/understand the IPS Alerts I get.
I just got about 30 alerts like this one -
IPS Alert 1: Executable Code was Detected. Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String. From: 184.108.40.206:80, to: 192.168.99.140:53263, protocol: TCP, in interface: eth1
but I'm not sure exactly what it is saying. I put the string into Google and quickly got lost in the results.
Is there a recommended site that will help Admins understand what "Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String" means?
03-30-2018 10:04 AM
This match with the following rule:
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02
Basically any traffic from a http server to your home network that contains 0a0a0a0a can trigger this alert.
On version 5.9 you will be able to suppress alerts and you can easily remove any signature that is causing false positives like this one.
08-26-2018 10:42 AM
And how do you really know what's a false positive and what's not.
The traffic can come from a server for some legit mobile app but the server might have been hacked etc.
I just got a few of this too like this:
ET SHELLCODE Common 0a0a0a0a Heap Spray String
The IP of this log belongs to a server that seems to belong to some web game developer. Atleast the default http host, what other hosts are are unknown for me.
11-27-2018 04:37 PM
Sorry to resurrect this but I too had this alert (destination was my phone) and when I first looked into it I discovered this. I had just finished a FaceTime Video call with my girlfriend (who lives in Freiburg, Germany) on my iPhone 6S. When I looked into the source IP, it was located iiiiiin (take a guess!!!!!) Freiburg, Germany.
This leads me to believe it is something related to the FaceTime platform, specifically the Video side of it (I made a FaceTime Audio call to her today and didn't get the IPS alerts). I have not yet had a chance to further test my theory with video calls, or if it affects only iPhones or Macs as well.
Here's what I do know:
- Time stamp on the alerts lines up with the duration of my FaceTime call.
- (assuming I'm right) Source is located very near to the person being called.
- FaceTime Video (but not Audio)
I will add on as the points roll in (if they do)
Test my theory! Have your significant other (or just some other person) FaceTime Video with you and see if you get any IPS alerts that line up with what I'm thinking.
a month ago
Just add add to the knowledge, I got the same alert that went to both of my network DVRs. I’m on Fios, and the originating IP is owned by Verizon, so it checks out as a false alarm as far as I am concerned.
a week ago
Signed into company site and had 300+ alerts.
IPS Alert 1: Executable Code was Detected. Signature ET SHELLCODE Common 0a0a0a0a Heap Spray String. From: 220.127.116.11:80, to: 192.168.0.40:57398, protocol: TCP
Apparently false positive? or?