Security Incidents mailing list archives
Re: Real-world attacks on sendmail CA-2003-07 seen
From: Bennett Todd <bet () rahul net>
Date: Mon, 10 Mar 2003 13:47:10 -0500
2003-03-10T13:22:05 Barry Kokotailo:
Is there a snort signature out for this as of yet?
Yes, in the latest signature set includes, at the end of smtp.rules:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established;
content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1;
content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025;
classtype:attempted-admin; sid:2087; rev:2;)
It false-positives pretty easily, but does seem to catch the
currently-discussed attacks.
-Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Real-world attacks on sendmail CA-2003-07 seen, (continued)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Jeff Kell (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen jlewis (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Juan Gallego (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen gabriel rosenkoetter (Mar 11)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
- RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen james (Mar 10)