Snort mailing list archives
Re: SMTP RCPT TO overflow
From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de>
Date: Fri, 26 Apr 2002 00:59:12 +0200
On Thu, Apr 25, 2002 at 03:37:37PM -0400, Jhumri Tilayia wrote:
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;) Is the dsize:>800 for the packet or only for the content ? We are not sure what is setting off the alert since our maillogs don't indicate mail being sent to a recipient with a very long name or control characters etc. in the name. Anyone else experience something similar ?
This is a stupid rule. With SMTP command pipelining, one can send more than one rcpt to:<recipientaddress> per packet, thus causing the data size to grow well beyond 800 bytes. -- Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hildebrandt () charite de Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155 Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 Why you can't find your system administrators: Busy sitting in the middle of a pentagram with black candles putting a curse on the air-head executive that started circulating the warnings about the "e-mail virus". _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP RCPT TO overflow Jhumri Tilayia (Apr 25)
- Re: SMTP RCPT TO overflow Ralf Hildebrandt (Apr 25)
- Re: SMTP RCPT TO overflow Jason Haar (Apr 25)
- Message not available
- Re: SMTP RCPT TO overflow Jason Haar (May 06)
- REMOVE Jason Haar from the list! Martin Forest (May 07)
- Re: REMOVE Jason Haar from the list! Matt Kettler (May 07)
- RE: REMOVE Jason Haar from the list! Jason Withrow (May 07)
- Re: REMOVE Jason Haar from the list! Jason Haar (May 07)
- Message not available
- <Possible follow-ups>
- smtp rcpt to overflow Hugo Ferr (Jun 05)
- RE: smtp rcpt to overflow Hugh Brown (Jun 05)
- RE: smtp rcpt to overflow Ted Stringer (Jun 05)
- Re: smtp rcpt to overflow Edwin Eefting (Jun 05)
- RE: smtp rcpt to overflow Hugh Brown (Jun 05)