Snort mailing list archives

Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 11 May 2011 20:43:55 +0000

On 5/11/2011 8:29 PM, Matt Watchinski wrote:

You got a full capture that replicates?  Also any differences in your
conf from the VRT conf?

Cheers,
-matt

Don't have PCAP on this stuff unfortunately. Conf should be the same as 
VRT's almost to the letter. Below is the smtp preproc section:


preprocessor smtp: ports { 25 465 587 691 } \
     inspection_type stateful \
     enable_mime_decoding \
     max_mime_depth 20480 \
     normalize cmds \
     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM 
ESND ESOM ETRN EVFY } \
     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT 
RSET SAML SEND SOML } \
     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT 
X-DRCP X-ERCP X-EXCH50 } \
     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN 
XLICENSE XQUE XSTA XTRN XUSR } \
     max_command_line_len 512 \
     max_header_line_len 1000 \
     max_response_line_len 512 \
     alt_max_command_line_len 260 { MAIL } \
     alt_max_command_line_len 300 { RCPT } \
     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL 
ESAM ESND ESOM EVFY IDENT NOOP RSET } \
     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA 
RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE 
XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND 
ESOM ETRN EVFY } \
     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT 
RSET SAML SEND SOML } \
     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP 
X-ERCP X-EXCH50 } \
     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN 
XLICENSE XQUE XSTA XTRN XUSR } \
     xlink2state { enabled }


-- Eoin

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 11)
  - Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
    - Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 12)