Snort mailing list archives
Broken Signature SMTP RCPT TO
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Wed, 1 May 2002 12:50:44 -0400
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;) This signature looks broken, it is matching on rcpt but not doing a nocase. Also I am not sure if dsize:> 800 will really do what they want to do. Ian
Current thread:
- Broken Signature SMTP RCPT TO Ian Macdonald (May 01)