Weird issue with 1.8.6 and SMTP alerts

[Jason Haar <Jason.Haar () trimble co nz>]

I'm getting hundreds of hits on the "SMTP RCPT TO overflow" rule, which
appears to be(/should be ;-) due to a bug with something.

It's recording a match on a packet that contains an ENTIRE SMTP transaction.

The rule is:

content:"rcpt to|3a|"; nocase; dsize:>800; 

This should only trigger on a packet > 800 bytes that contains "rcpt to:". A
normal SMTP tranactions involves the "rcpt to:" being sent as it's own
packet - so this rule should only cause false positives with "rcpt to:"
shows up within the DATA component (like this actual message will...)

However, the alert DATA record I see via ACID looks like this:

EHLO servername<CRLF>
MAIL FROM:<address><CRLF>
RCPT TO:<address><CRLF>
DATA<CRLF>
xxxxxx
xxx
xxx



i.e a single packet containing half the entire SMTP transaction!

That shouldn't be happening - right? I mean, that should be at least FOUR
packets there - not one...

I tcpdump'ed the link and caught one of the events. As expected, the "rcpt
to:" is sent in it's own packet - so it shouldn't have triggered the rule.

Is the "snort -z" option doing something it didn't before? Aggregating
packets into one virtual packet or something?

Strange thing is, it isn't matching on all mail - just some...

Any ideas?

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________________________
Hundreds of nodes, one monster rendering program.
Now that's a super model! Visit http://clustering.foundries.sf.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users