Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SNORT and SMTP RBLs

From: "David Flanigan" <dave () flanigan net>
Date: Tue, 2 Jul 2002 09:40:15 -0400
Hello:

 It seems snort reports the disconection assiciated with Sendmail RBL 
(realtime blackholes) as an "Attempted Administrative Privilege Gain" via 
SMTP HELO or RCPT TO overflow. 

 We use RBLs to keep the spam down. Is there a way to modify the rule so it 
dosn't mis report this? I hate to disable two otherwise good rules. 



Jul  1 19:40:14 dflx snort: [1:1549:5] SMTP HELO overflow attempt 
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
193.225.10.130:18929 -> 67.36.126.141:25
Jul  1 20:18:33 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
130.155.191.236:2695 -> 67.36.126.141:25
Jul  1 20:20:07 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
210.115.125.11:3857 -> 67.36.126.141:25
Jul  1 20:22:22 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
204.152.184.27:1625 -> 67.36.126.141:25
Jul  1 20:23:03 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
66.46.150.18:43636 -> 67.36.126.141:25
--
Kind Regards, 
David A. Flanigan

dave () flanigan net
http://www.flanigan.net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: