Snort mailing list archives
Re: Question on 663
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Thu, 09 Apr 2009 12:16:34 -0500
and apologies to you, rmkml, because i did not notice in the bugtraq how RCPT ties into the debug exploitation. It does seem like there is a typo in the rule, though. this PCRE will not match the sample exploit in bugtraq. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:15;) but then i suppose that there aren't all that many sendmail 5.5.8 still in production. jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 - solved Jack Pepper (Apr 09)
- Re: Question on 663 - solved Nigel Houghton (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)