Snort mailing list archives

Re: SMTP RCPT TO overflow

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 26 Apr 2002 11:20:08 +1200

On Thu, Apr 25, 2002 at 03:37:37PM -0400, Jhumri Tilayia wrote:

Is the dsize:>800 for the packet or only for the content ? We are not sure 
what is setting off the alert since our maillogs don't indicate mail being 
sent to a recipient with a very long name or control characters etc. in the 
name. Anyone else experience something similar ?


I've seen this a bit too. False positive. Check the timestamp of the hit
against your mail logs, and you will probably find a message from one of the
security mailing-lists - like BugTraq.

From what I can read of it, what happened is:


alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

This means alert on a packet containing "rcpt to:" that is > 800 bytes. Now
in SMTP, typically a single packet is sent from the SMTP client to the
server that contains the "rcpt to:" envelope headers:

i.e.

SMTP Client                                    SMTP Server
(Pck1) "ehlo xxxxx"                  ---->
                                     <----    "250-Bite me"
(Pck2) "mail from: me@here.there"    ---->
                                     <----    "OK"
(Pck3) "rcpt to: you () there here"     ---->
etc


So Pck3 is typically pretty small - so if Pck3 is >800 bytes - it's
indicative of a buffer overflow attempt.

However, the same rule would catch the 7th line up too. This message should
cause a trigger too ;-)

Adding an "offset: 0" option to the rule should help. In fact that would
almost completely remove false positives on that one I think? (Comments?)


-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMTP RCPT TO overflow Jhumri Tilayia (Apr 25)
- Re: SMTP RCPT TO overflow Ralf Hildebrandt (Apr 25)
- Re: SMTP RCPT TO overflow Jason Haar (Apr 25)
  - Message not available
    - Re: SMTP RCPT TO overflow Jason Haar (May 06)
    - REMOVE Jason Haar from the list! Martin Forest (May 07)
    - Re: REMOVE Jason Haar from the list! Matt Kettler (May 07)
    - RE: REMOVE Jason Haar from the list! Jason Withrow (May 07)
    - Re: REMOVE Jason Haar from the list! Jason Haar (May 07)
- <Possible follow-ups>
- smtp rcpt to overflow Hugo Ferr (Jun 05)
  - RE: smtp rcpt to overflow Hugh Brown (Jun 05)
    - RE: smtp rcpt to overflow Ted Stringer (Jun 05)
  - Re: smtp rcpt to overflow Edwin Eefting (Jun 05)