Re: False positives with SMTP RCPT TO overflow rule

["Nels Lindquist" <nlindq () maei ca>]

This seems to have dropped into the bit bucket the first time I sent 
it, so here we go again:

On 25 Jun 2002 at 14:16, Matt Kettler wrote:

> At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
> > I just updated my signatures to the latest ones (as of June 24,
> > anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
> > overflow.

> This came up a week or so ago. My general recommendation is that unless you 
> run a vulnerable mailserver, kill this rule completely.

Will do.
 
> AFAIK this rule is easily bypassed by an attacker, and readily false-prone 
> due to SMTP command pipelining. IMHO this rule is so completely broken has 
> no place in a general-purpose deployment of snort.

I noticed in the archived Bugtraq description of the vulnerability 
that no known exploit exists.  Does that make it difficult/impossible 
to create a signature specific to this vulnerability?

Speaking of general-purpose snort deployments, are there any 
documented recommendations for which rules/rulesets ought to be 
included?  Or is it just a given that one should be reviewing each 
and every rule for applicability to one's own situation?  I looked 
through the Snort docs, but they seem to be more tailored to rule 
creation.  If I didn't RTFM carefully enough, please let me know.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users