Snort mailing list archives
Re: [Snort-Sigs] 19213 thousands of FP
From: JJC <cummingsj () gmail com>
Date: Tue, 27 Sep 2011 09:40:42 -0600
Not withstanding the validity of the F+ nature of the rule, I wanted to take a quick second to point out a few things here, for the benefit of newer users on the list etc... As a matter of IPS best practice and tuning, there will be many valid rules that will not apply to your infrastructure and that will still alert based on your traffic. In this case a simple question should be asked when you see alerts - "Do I have an IpSwitch IMail Server?", I suspect that the answer to that will more than likely be no and as such this sid should simply be disabled. The second item would simply be to utilize one of the VRT base policies "balanced, security, or connectivity". Doing so would have had this rule disabled by default and thus would not have produced the F+ that is noted. All of this being said, this rule could use some enhancement and that is being reviewed now. JJC On Tue, Sep 27, 2011 at 9:18 AM, matan monitz <mmonitz () gmail com> wrote:
hello can someone please explain the logic behind the sig? the ?Q? is very very common and there is no minimal length on the sig quoting from secunia: * 2) A boundary error in the List Mailer (imailsrv.exe) can be exploited to cause a stack-based buffer overflow via an overly-long string in the Subject field following the "?Q?" operator.* you can't just alert on this operator appearing in the subject! (btw, ill be happy if someone can tell me what ?Q? means) p.s. the pcre should also be removed from the sig ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [Snort-Sigs] 19213 thousands of FP matan monitz (Sep 27)
- Re: [Snort-Sigs] 19213 thousands of FP Alex Kirk (Sep 27)
- Re: [Snort-Sigs] 19213 thousands of FP JJC (Sep 27)