Re: SMTP RCPT TO overflow

[Jason Haar <Jason.Haar () trimble co nz>]

On Mon, May 06, 2002 at 11:39:00PM -0400, Brian wrote:
> > Adding an "offset: 0" option to the rule should help. In fact that would
> > almost completely remove false positives on that one I think? (Comments?)
>
> Unfortunatly, that would make us evadable.  Many mail servers
> understand "    rcpt to <stuff>" (note the spaces), so we could be
> easily evaded by adding the offset:0 stuff.

Gah. I'm responsible for Qmail-Scanner - an Email content scanner, so I am
majorly aware of how antivirus scanners (and now IDS...) have to support
every broken piece of software out there.... However, I wonder if this could
be turned into a feature. We already have "web-iis.rules", why not
"smtp-generic.rules", "smtp-strict-rfc.rules",
"smtp-borked.rules", etc.

That way those of us who care can customize their IDS to match their
environment. I use Qmail - and " rcpt to:" is NEVER going to be a problem
for me...

Then the "smtp-strict-rfc.rules" could have things like the offset to reduce
their false-positives, and the sites that have to run "smtp-borked.rules"
would have yet another reason to upgrade their servers :-)

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users