Snort mailing list archives
SMTP HELO overflow attempt
From: "Capps Family" <capps27 () attbi com>
Date: Mon, 29 Jul 2002 19:14:17 -0700
I am getting numerous errors for this reason. I'm running Redhat Linux 7.3 and snort 1.8.7. My snort is configured to do binary logging. When I display the snort binary log that was created at the same time as the alert, using tcpdump, this packet doesn't even show up. I have a separate tcpdump trace of the same segment running at the same time. When I display it, it looks like a normal packet. I then configured snort to log with the "X" option. When I compared the data captured for that IP with the same data in the tcpdump packet, the IP header looks completely different. Tcpdump looks perfect, the snort dump ip header data looks like it's been corrupted. Has anybody experienced anything close? I don't mind getting rid of the rule because we really shouldn't be affected by it, but I hate to do that and hide a bug in the program. Any ideas? Thanks Michael
Current thread:
- SMTP HELO overflow attempt Capps Family (Jul 30)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)
- Re: SMTP HELO overflow attempt Ian Macdonald (Jul 31)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)