Snort mailing list archives
Re: (smtp) Attempted header name buffer overflow: xx chars before colon
From: Todd Wease <twease () sourcefire com>
Date: Tue, 02 Sep 2008 10:28:27 -0400
Hi Ryan, This should be fixed in 2.8.3. For now, you can comment the SMTP_HEADER_NAME_OVERFLOW rule in preproc.rules. To utilize the preproc.rules you need to compile Snort with "--enable-decoder-preprocessor-rules" and uncomment "include $PREPROC_RULE_PATH/preprocessor.rules" in snort.conf. Todd chris ryan wrote:
Hi, we are running snort (2.8.2.1, latest subscribers rule set) in front of an big email infrastructure (>10000 users). I'm getting a lot of these alerts from the smtp preprocessor: "(smtp) Attempted header name buffer overflow: xx chars before colon", where xx is (65 .. 255). I found an older post on the list:----Todd Wease Date: 2008-03-27 12:41:50 The header name buffer overflow looks for a header name > 64 characters. Header names are taken to be the tags in the data header, e.g. Subject: Return-Path: Received: etc. If the number of characters before the ":" is more than 64 characters the smtp preprocessor alerts. The max_header_line_len has nothing to do with this - it looks for the length of the entire line. Is your network asynchronous? Are you dropping packets? Can you provide a pcap that generates the alert (send to <email removed>)?----Our network isn't asynchronous and we have a very, very low drop rate. Most of the false postives seem to be newsletters or spam in html. I can provide pcaps of that, if needed. Is there a way of disabling that warning without disabling the hole preprocessor? I only found these in the preproc.rules: SMTP_COMMAND_OVERFLOW SMTP_DATA_HDR_OVERFLOW SMTP_RESPONSE_OVERFLOW SMTP_SPECIFIC_CMD_OVERFLOW SMTP_UNKNOWN_CMD SMTP_ILLEGAL_CMD SMTP_HEADER_NAME_OVERFLOW It seems to me that the alert message is still from the preprocessor itself and does not use the preproc.rules. Thanks in advance, Chris. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (smtp) Attempted header name buffer overflow: xx chars before colon chris ryan (Sep 02)
- Re: (smtp) Attempted header name buffer overflow: xx chars before colon Todd Wease (Sep 02)
- Re: (smtp) Attempted header name buffer overflow: xx chars before colon chris ryan (Sep 03)
- Re: (smtp) Attempted header name buffer overflow: xx chars before colon Todd Wease (Sep 02)