Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Broken Signature SMTP RCPT TO

From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Wed, 1 May 2002 12:50:44 -0400
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

This signature looks broken, it is matching on rcpt but not doing a nocase.
Also I am not sure if dsize:> 800 will really do what they want to do.

Ian
Previous By Date Next
Previous By Thread Next

Current thread: