Snort mailing list archives

Limiting false-hits with "SMTP RCPT TO overflow" rule

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 18 Aug 2001 20:55:06 +1200

Let's say I want to write a better "SMTP RCPT TO overflow" rule:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

I get a few false-hits on that one. Mainly from security lists obviously :-)
The problem of course is that rule looks for "rct to:", and a large packet
size - something easily met inside the body of a mail message about SMTP.

Would adding perhaps a "offset:0" to this rule fix it? All SMTP RCPT calls
are done as single packets, so that offset would always be right - wouldn't
it?

Agh. PIPELINING may screw that...

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Limiting false-hits with "SMTP RCPT TO overflow" rule Jason Haar (Aug 18)