Snort mailing list archives
Weird issue with 1.8.6 and SMTP alerts
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 20 May 2002 12:26:45 +1200
I'm getting hundreds of hits on the "SMTP RCPT TO overflow" rule, which appears to be(/should be ;-) due to a bug with something. It's recording a match on a packet that contains an ENTIRE SMTP transaction. The rule is: content:"rcpt to|3a|"; nocase; dsize:>800; This should only trigger on a packet > 800 bytes that contains "rcpt to:". A normal SMTP tranactions involves the "rcpt to:" being sent as it's own packet - so this rule should only cause false positives with "rcpt to:" shows up within the DATA component (like this actual message will...) However, the alert DATA record I see via ACID looks like this: EHLO servername<CRLF> MAIL FROM:<address><CRLF> RCPT TO:<address><CRLF> DATA<CRLF> xxxxxx xxx xxx i.e a single packet containing half the entire SMTP transaction! That shouldn't be happening - right? I mean, that should be at least FOUR packets there - not one... I tcpdump'ed the link and caught one of the events. As expected, the "rcpt to:" is sent in it's own packet - so it shouldn't have triggered the rule. Is the "snort -z" option doing something it didn't before? Aggregating packets into one virtual packet or something? Strange thing is, it isn't matching on all mail - just some... Any ideas? -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Weird issue with 1.8.6 and SMTP alerts Jason Haar (May 19)
- Re: Weird issue with 1.8.6 and SMTP alerts Rob Hughes (May 21)