Snort mailing list archives
Limiting false-hits with "SMTP RCPT TO overflow" rule
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 18 Aug 2001 20:55:06 +1200
Let's say I want to write a better "SMTP RCPT TO overflow" rule: alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;) I get a few false-hits on that one. Mainly from security lists obviously :-) The problem of course is that rule looks for "rct to:", and a large packet size - something easily met inside the body of a mail message about SMTP. Would adding perhaps a "offset:0" to this rule fix it? All SMTP RCPT calls are done as single packets, so that offset would always be right - wouldn't it? Agh. PIPELINING may screw that... -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Limiting false-hits with "SMTP RCPT TO overflow" rule Jason Haar (Aug 18)