Re: Question on 663

[Jack Pepper <pepperjack () afferentsecurity com>]

and apologies to you, rmkml, because i did not notice in the bugtraq  
how RCPT ties into the debug exploitation.

It does seem like there is a typo in the rule, though.  this PCRE will  
not match the sample exploit in bugtraq.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to  
command attempt"; flow:to_server,established; content:"rcpt to|3A|";  
nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp;  
reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095;  
classtype:attempted-admin; sid:663; rev:15;)

but then i suppose that there aren't all that many sendmail 5.5.8  
still in production.

jp



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users