Snort mailing list archives
Sendmail crackaddr header overflow sig - Dozens of False Positives
From: "Jeff Oliveto" <joliveto () cleancommunications com>
Date: Thu, 6 Mar 2003 10:34:40 -0500
I am getting dozens of false positives on the new "SMTP From comment overflow attempt signature" (SID 2087 Rev 2), signature included below. It seems that if the message text includes a string of "<>" then it goes off. Example of a message text (i.e., signature block) that sets off SID 2087: <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> You received this email because you signed up to receive offers from GlobalPoint Media, LLC. and....." Another example, it seems one of Cisco's auto generated e-mail replies also contains a string of <><> that sets it off., In it's current form...the signature is unusable. Is anyone working on a better signature? BTW...bet a ton of snort sensors are going off right now based upon the text of this e-mail. SID 2087 Rev 2 below alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1; content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;) Jeff Oliveto Clean Communications CLEAN Communications (formerly NetPlexus) Value Based Security Solutions The information contained in this message, and any attachment, is confidential and proprietary information, and may be legally privileged. It is intended for the above named recipient(s) only and is transmitted in confidence. It should be safeguarded to prevent unauthorized, negligent, or inadvertent use or disclosure. If this message is received in error, the sender should be notified and the message and any attachments deleted.
Current thread:
- Sendmail crackaddr header overflow sig - Dozens of False Positives Jeff Oliveto (Mar 07)