Snort mailing list archives

SMTP RCPT TO overflow

From: "Jhumri Tilayia" <tilayia () hotmail com>
Date: Thu, 25 Apr 2002 15:37:37 -0400

Hello,

It's obvious that the following rule is setting off the alert:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

Is the dsize:>800 for the packet or only for the content ? We are not surewhat is setting off the alert since our maillogs don't indicate mail beingsent to a recipient with a very long name or control characters etc. in thename. Anyone else experience something similar ?


Thanks.



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMTP RCPT TO overflow Jhumri Tilayia (Apr 25)
- Re: SMTP RCPT TO overflow Ralf Hildebrandt (Apr 25)
- Re: SMTP RCPT TO overflow Jason Haar (Apr 25)
  - Message not available
    - Re: SMTP RCPT TO overflow Jason Haar (May 06)
    - REMOVE Jason Haar from the list! Martin Forest (May 07)
    - Re: REMOVE Jason Haar from the list! Matt Kettler (May 07)
    - RE: REMOVE Jason Haar from the list! Jason Withrow (May 07)
    - Re: REMOVE Jason Haar from the list! Jason Haar (May 07)
- <Possible follow-ups>
- smtp rcpt to overflow Hugo Ferr (Jun 05)
  - RE: smtp rcpt to overflow Hugh Brown (Jun 05)
    - RE: smtp rcpt to overflow Ted Stringer (Jun 05)

(Thread continues...)