Snort mailing list archives
Re: SMTP HELO overflow attempt
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Tue, 30 Jul 2002 17:34:45 -0400
This rules is for lotus notes. You can ignore it if you are not running lotus notes Thanks ----- Original Message ----- From: "Andreas Hasenack" <andreas () conectiva com br> To: "Capps Family" <capps27 () attbi com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, July 30, 2002 4:01 PM Subject: Re: [Snort-users] SMTP HELO overflow attempt
Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:I then configured snort to log with the "X" option. When I compared the data captured for that IP with the same data in the tcpdump packet, the IP header looks completely different. Tcpdump looks perfect, the snort dump ip header data looks like it's been corrupted.I've also seen some sort of corruption recently and I also have been
scratching
my head. What I see sometimes is some sort of overlapping happening with the data in the payload of HTTP packets. I also catched the most weird "scan" (snort called it a FIN scan): a tcp segment with only FIN set (no ACK flag set, but with an ACK number),
directed
to port 53, and with a mail-like payload, with smtp commands, such as
FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a parallel tcpdump running, so I don't know if the packet was really like
this
or if some corruption took place. I'm using Version 1.8.7beta5 (Build 121) ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP HELO overflow attempt Capps Family (Jul 30)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)
- Re: SMTP HELO overflow attempt Ian Macdonald (Jul 31)
- Re: SMTP HELO overflow attempt Andreas Hasenack (Jul 31)