Snort mailing list archives
Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow
From: Irish Settingg <irishsetting () gmail com>
Date: Tue, 3 Feb 2015 03:54:10 +0530
We have SNORT IDS in our environment and we are receiving a lot of such alerts - [124:7:1] smtp: Attempted header name buffer overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal IP:46125 -> Internal SMTP Server:25 Rule - [image: Inline images 2] What is this rule actually looking for and what does the preprocessor rule do here..... Do We get false positives due to this.... For the Signature above one forum suggested that if the email headers are more than 64 characters - the alert gets triggered. I know that this rule is not a REGEX based rule but how does it check in the traffic if the header is not normal. Basically I want to know if this rule is of any use or not.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 02)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)