Snort mailing list archives
Re: SID 13923 - Bad Rule
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 6 Apr 2010 14:10:15 -0500
Oh yeah, this one is policy security-ips drop so you may want to escalate priority. I don't think SMTP is that nefarious, SF you might have some appliance IPS impacted customers... -evilghost evilghost () packetmail net wrote:
Hello, SID 13923 seems to generate quite a lot of false positives. Looking at the rule, did you really mean it this way? content:"HELO "; content:!"|00|"; within:2 This fires on every SMTP HELO since the syntax is "HELO fqdn.hostname.com". I would imagine any RFC compliant SMTP connection with "HELO" would cause this signature to fire. I would expect to not find a null character after the SMTP "HELO" verb within three bytes of the previous content match (taking into account the 0x20 after the HELO verb). Can this be addressed? As-is it appears this signature isn't specific to CVE 2006-3277 at all. Not to be an jerk but this really is a horrid rule, how did it make it into this VRT release? It was modified in this VRT release. Thanks, -evilghost ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule Patrick Mullen (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)
- Re: SID 13923 - Bad Rule Matt Olney (Apr 06)
- Re: SID 13923 - Bad Rule Patrick Mullen (Apr 06)
- Re: SID 13923 - Bad Rule evilghost () packetmail net (Apr 06)