Snort mailing list archives
Correct Link for the Snort Virtual Users Group
From: Mike Guiterman <mike.guiterman () sourcefire com>
Date: Tue, 19 Sep 2006 09:37:27 -0400
Hi all, My apologies for the bad link. The correct link to register for the Virtual Users Group is below: https://sourcefire.webex.com/sourcefire/j.php?ED=86930197&RG=1 Mike On 9/18/06 10:51 PM, "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. SMTP preprocessor triggering on incorrect data (Jason Haar) 2. Inaugural Snort Virtual Users Group Meeting Sept. 28 (Mike Guiterman) 3. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28 (Will Metcalf) 4. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28 (Jason) 5. Re: error: log_tcpdump TcpdumpInitlogefile():no error (Joel Esler) ---------------------------------------------------------------------- Message: 1 Date: Tue, 19 Sep 2006 07:12:03 +1200 From: Jason Haar <Jason.Haar () trimble co nz> Subject: [Snort-users] SMTP preprocessor triggering on incorrect data To: snort-users () lists sourceforge net Message-ID: <450EEF83.3040003 () trimble co nz> Content-Type: text/plain; charset=ISO-8859-1 I just had an FP event generated by the SMTP preprocessor # smtp: SMTP normalizer, protocol enforcement and buffer overflow preprocessor smtp: ports { 25 587 } ignore_tls_data ignore_data inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } The event was "Attempted specific command buffer overflow: HELP, 941 chars", but the captured packet shows the word help was actually within the DATA component of the SMTP stream - not a SMTP command. It was from one of our internal Exchange servers to another Exchange server, so I assume their initial SMTP dialog was vaguely compliant. :-) This is snort 2.6.0.2 under RHE4
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Correct Link for the Snort Virtual Users Group Mike Guiterman (Sep 19)