Snort mailing list archives

Re: False positives with SMTP RCPT TO overflow rule

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 25 Jun 2002 14:16:14 -0400

This came up a week or so ago. My general recommendation is that unless yourun a vulnerable mailserver, kill this rule completely.

AFAIK this rule is easily bypassed by an attacker, and readily false-pronedue to SMTP command pipelining. IMHO this rule is so completely broken hasno place in a general-purpose deployment of snort.


At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:

Hi there.

I just updated my signatures to the latest ones (as of June 24,
anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
overflow.




-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.

Don't miss the IM event of the season | Special offer for OSDN members!JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
  - Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
    - Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 27)
    - Re: False positives with SMTP RCPT TO overflow rule Chris Green (Jun 27)
- <Possible follow-ups>
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 25)
  - RE: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 26)