Snort mailing list archives
Re: Exploit? (RCPT overflow)
From: matt <mkettler () evi-inc com>
Date: Thu, 13 Jun 2002 20:26:56 -0400
Personally, that rule is so incredibly false-alert prone that I've disabled it.It merely looks for a TCP frame going to your SMTP server which contains more than 800 bytes of data.. Any email can easily set that off if pipelining is used.
SMTP command pipelining allows several command lines lines to be sent as a single packet without waiting for an OK response. Any good high-volume mailserver will try to pipeline where possible, resulting in a single TCP frame containing a series of command lines, each of which is not very long, but in aggregate easily exceed the 800 byte threshold, particularly if there is a large recipient list.
For more info on pipelining: http://www.faqs.org/rfcs/rfc1854.htmlSince I know my mailserver is patched against such overflows, and I know the alert goes off at least three times a day here for various emails in the category listed above, I find that rule to be beyond worthless.
The rule can also be misled using carefully crafted packets to ensure that the RCPT TO: exploit is split into multiple frames. Stream4 can re-assemble the stream for content patterns, but it cannot total the segment length up (otherwise EVERY email would trigger this rule)
So I send one tcp frame containing: RCPT To: something Then another several frames containing: really long that will overflow the rcpt to buffer within old and buggymailservers {insert shellcode here} {more shellcode} ... [cr] Boom, rcpt to: overflow without alerting that particular snort rule.Sorry, but IMHO that rule is worthless since it will triggered by valid SMTP traffic to a large CC list in your domain, but can easily be avoided by someone not-very-clever. Unless your mailserver doesn't support pipelines, kill it, kill it dead.
At 04:01 PM 6/13/2002 -0700, Michael Northup wrote:
Today I'm seeing a lot of "SMTP RCPT TO overflow" alerts from a variety of outside sources. Is anyone else seeing the same?Michael Northup Burton Saw & Supply Co.
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exploit? Michael Northup (Jun 13)
- Re: Exploit? (RCPT overflow) matt (Jun 13)
- Curse of the cmd.exe Sam Evans (Jun 13)
- Re: Curse of the cmd.exe Chris Keladis (Jun 14)
- RE: Curse of the cmd.exe Andy McLeod (Jun 17)
- RE: Exploit? Don (Jun 13)
- <Possible follow-ups>
- RE: Exploit? Hilton De Meillon (Jun 13)
- RE: Exploit? Michael Brown (Jun 17)