Snort mailing list archives

Previous By Date Next
Previous By Thread Next

XEXCH50 evasion rule parse problems?

From: "Erik Norman" <erik.norman () datagram se>
Date: Wed, 26 Nov 2003 11:27:36 +0100
Hi all,

Starting from this morning, I'm getting alarms regarding XEXCH50 evasion
attempt (sid 2253, 2254). In my opinion, the conditions for that rule is not
met, but still generates an alarm!

More detailed information below.


Now what? Is this a known issue? As I'm not participating in snort-users
list, please cc me in case of a reply.

Btw, snort rules! Thank you guys.

/Erik


The rule
--------
The rule says that a '-' should be within 1 distance away from the XEXCH50
keyword. Right?

...msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established;
content:"XEXCH50"; nocase; content:"-"; distance:1;...


Packet extract
--------------
-snip- 50  x () xxxxx xx>..RCP
-snip- 76  T TO:<xxx.xxxxxx
-snip- 0A  xxx () xxxxxx xx>..
-snip- 0A  XEXCH50 1940 2..


Platform
--------
Snort 2.0.4 on NetBSD 1.6.1



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: