Re: SMTP RCPT TO overflow

[Ralf Hildebrandt <Ralf.Hildebrandt () charite de>]

On Thu, Apr 25, 2002 at 03:37:37PM -0400, Jhumri Tilayia wrote:

> alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; 
> flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; 
> reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)
>
> Is the dsize:>800 for the packet or only for the content ? We are not sure 
> what is setting off the alert since our maillogs don't indicate mail being 
> sent to a recipient with a very long name or control characters etc. in the 
> name. Anyone else experience something similar ?

This is a stupid rule. With SMTP command pipelining, one can send more
than one rcpt to:<recipientaddress> per packet, thus causing the data
size to grow well beyond 800 bytes.

-- 
Ralf Hildebrandt (Im Auftrag des Referat V A)   Ralf.Hildebrandt () charite de
Charite Campus Virchow-Klinikum                 Tel.  +49 (0)30-450 570-155
Referat V A - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
Why you can't find your system administrators:
Busy sitting in the middle of a pentagram with black candles putting a curse on the air-head executive that started 
circulating the warnings about the "e-mail virus". 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users