Disable alert by port

[Carlos-mb]

Hello.

I'm getting many alerts "GPL SHELLCODE x86 0xEB0C NOOP" and I have seen that it's related to Microsoft Delivery Optimization and all the connections are made to port 7680, the one used by this service.

I have tried to find the way to disable this alert when destination port is 7680, but I haven't found the way.

I'll than any idea about this.

Thanks!

[zfcarsonb]

It appears you are referencing sid 2101424:

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, signature_severity Minor, updated_at 2019_10_08;)

Tuning the external side of the rule

If you want to modify $SHELLCODE_PORTS to exclude port 7680, you can go to:

Administration > Configuration > Suricata > Config > vars > port-groups > SHELLCODE_PORTS

Then append a new line with the value:

!7680

Alternatively, you could also create a modify override in the Detections module. Something along the lines of (untested):

regex: \$SHELLCODE_PORTS
value: [$SHELLCODE_PORTS,!7680]

Tuning the home side of the rule

If you were trying to tune the HOME_NET side of the rule, you would need to create a modify override in the Detections module.

Something like this (untested):

regex: \$HOME_NET any
value: $HOME_NET !7680

Hope this information helps!

[Carlos-mb]

Thank you very much.

I know I had modified the threshold on other rule time ago, but I don't know where I did take note of how I did it.

In this case I have to modify the source port in order to exclude 7680 only for this rule, so I'll choose the second option.

I have done these changes:

  regex: \$SHELLCODE_PORTS
  value: [$SHELLCODE_PORTS,!7680]

I hope this work

I really thank you for your support!