Snort mailing list archives
Re: SMTP RCPT TO overflow
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 7 May 2002 15:49:14 +1200
On Mon, May 06, 2002 at 11:39:00PM -0400, Brian wrote:
Adding an "offset: 0" option to the rule should help. In fact that would almost completely remove false positives on that one I think? (Comments?)Unfortunatly, that would make us evadable. Many mail servers understand " rcpt to <stuff>" (note the spaces), so we could be easily evaded by adding the offset:0 stuff.
Gah. I'm responsible for Qmail-Scanner - an Email content scanner, so I am majorly aware of how antivirus scanners (and now IDS...) have to support every broken piece of software out there.... However, I wonder if this could be turned into a feature. We already have "web-iis.rules", why not "smtp-generic.rules", "smtp-strict-rfc.rules", "smtp-borked.rules", etc. That way those of us who care can customize their IDS to match their environment. I use Qmail - and " rcpt to:" is NEVER going to be a problem for me... Then the "smtp-strict-rfc.rules" could have things like the offset to reduce their false-positives, and the sites that have to run "smtp-borked.rules" would have yet another reason to upgrade their servers :-) -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP RCPT TO overflow Jhumri Tilayia (Apr 25)
- Re: SMTP RCPT TO overflow Ralf Hildebrandt (Apr 25)
- Re: SMTP RCPT TO overflow Jason Haar (Apr 25)
- Message not available
- Re: SMTP RCPT TO overflow Jason Haar (May 06)
- REMOVE Jason Haar from the list! Martin Forest (May 07)
- Re: REMOVE Jason Haar from the list! Matt Kettler (May 07)
- RE: REMOVE Jason Haar from the list! Jason Withrow (May 07)
- Re: REMOVE Jason Haar from the list! Jason Haar (May 07)
- Message not available
- <Possible follow-ups>
- smtp rcpt to overflow Hugo Ferr (Jun 05)
- RE: smtp rcpt to overflow Hugh Brown (Jun 05)
- RE: smtp rcpt to overflow Ted Stringer (Jun 05)
- Re: smtp rcpt to overflow Edwin Eefting (Jun 05)
- RE: smtp rcpt to overflow Hugh Brown (Jun 05)