RE: False positives

["Cessna, Michael" <MCessna () rtm com>]

This rule triggers on a Lotus Domino Mail Server overflow error. Do you have
a Domino Mail server? If not comment out the rule. I had a bunch of these
false positives with Exchange so I simply commented out the rule. Here's the
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260

Mike

-----Original Message-----
From: Chris Osicki [mailto:osk () gd2 swissptt ch]
Sent: Tuesday, October 30, 2001 9:11 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] False positives



Hi,

I'm trying to reduce the number of false positives I'm getting.
One of the "over sensitive" rule is this one:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; 
flags:A+; content: "rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; 
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

which alarms every time there is a packet containing "rcpt to:"
and the packet payload is more than 800 bytes. Which is not necessarily
the length of recipients list to "rcpt to:".

[fire-proof overalls on]
Having a kind of limited regular expressions or wild-cards and a way
to reference the size of the matched string would be, at least in this 
case, useful. Like  `content: "rcpt to|3a|*|0d 0a|"; msize:>800'
I don't have enough experience with snort to estimate how 
useful could it be to help detect other buffer overflows.
Just wanted to share my thoughts.

Regards,
Chris


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users