Snort mailing list archives
SNORT and SMTP RBLs
From: "David Flanigan" <dave () flanigan net>
Date: Tue, 2 Jul 2002 09:40:15 -0400
Hello: It seems snort reports the disconection assiciated with Sendmail RBL (realtime blackholes) as an "Attempted Administrative Privilege Gain" via SMTP HELO or RCPT TO overflow. We use RBLs to keep the spam down. Is there a way to modify the rule so it dosn't mis report this? I hate to disable two otherwise good rules. Jul 1 19:40:14 dflx snort: [1:1549:5] SMTP HELO overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 193.225.10.130:18929 -> 67.36.126.141:25 Jul 1 20:18:33 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 130.155.191.236:2695 -> 67.36.126.141:25 Jul 1 20:20:07 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 210.115.125.11:3857 -> 67.36.126.141:25 Jul 1 20:22:22 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 204.152.184.27:1625 -> 67.36.126.141:25 Jul 1 20:23:03 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 66.46.150.18:43636 -> 67.36.126.141:25 -- Kind Regards, David A. Flanigan dave () flanigan net http://www.flanigan.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT and SMTP RBLs David Flanigan (Jul 02)