Snort mailing list archives
Re: False positives with SMTP RCPT TO overflow rule
From: "Nels Lindquist" <nlindq () maei ca>
Date: Thu, 27 Jun 2002 10:34:48 -0600
This seems to have dropped into the bit bucket the first time I sent it, so here we go again: On 25 Jun 2002 at 14:16, Matt Kettler wrote:
At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:I just updated my signatures to the latest ones (as of June 24, anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO overflow.
This came up a week or so ago. My general recommendation is that unless you run a vulnerable mailserver, kill this rule completely.
Will do.
AFAIK this rule is easily bypassed by an attacker, and readily false-prone due to SMTP command pipelining. IMHO this rule is so completely broken has no place in a general-purpose deployment of snort.
I noticed in the archived Bugtraq description of the vulnerability that no known exploit exists. Does that make it difficult/impossible to create a signature specific to this vulnerability? Speaking of general-purpose snort deployments, are there any documented recommendations for which rules/rulesets ought to be included? Or is it just a given that one should be reviewing each and every rule for applicability to one's own situation? I looked through the Snort docs, but they seem to be more tailored to rule creation. If I didn't RTFM carefully enough, please let me know. ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc. ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Chris Green (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- <Possible follow-ups>
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 26)