Snort mailing list archives

snort-users mailinglist trigger snort

From: Martin Forest <martin () heimdalls co nz>
Date: Fri, 26 Apr 2002 14:13:14 +1200

snort-users mailinglist trigger snort.

Snort have started to set off alert for me. I traced it down to thesnort mailinglist.


The following incomming mail generated a snort alert.

Apr 26 13:21:05 xxxxx sendmail[7077]: g3Q1L3t07077:from=<snort-users-admin () lists sourceforge net>, size=4708, class=-60,nrcpts=1, msgid=<20020425232008.GF8261 () trimble co nz>, proto=ESMTP,daemon=Daemon0, relay=usw-sf-fw2.sourceforge.net [216.136.171.252]


And this is the snort alert.
[**] [1:654:1] SMTP RCPT TO overflow [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/26-13:21:49.276080 216.136.171.252:62524 -> n.n.n.n:25
TCP TTL:50 TOS:0x0 ID:25837 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x69A7C95C  Ack: 0x6A9DE587  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1372299287 699121
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260]
[Xref => http://www.securityfocus.com/bid/2283]

Only some of the mail trigger snort.
Does any one know why?

/Martin Forest



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-users mailinglist trigger snort Martin Forest (Apr 25)
- Re: snort-users mailinglist trigger snort Jason Haar (Apr 25)