Snort mailing list archives
False positives due to stream4 issue?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 30 Apr 2003 11:50:04 +1200
I've noticed that the FPs I'm getting for "SMTP From comment overflow attempt" look an entire mail message in one packet. ACID shows me the following: length = 2625 000 : 45 48 4C 4F 20 6D 61 69 6C 33 2E 67 70 6D 6E 65 EHLO mail3.gpmne 010 : 74 2E 63 6F 6D 0D 0A 4D 41 49 4C 20 46 72 6F 6D t.com..MAIL From 020 : 3A 3C 62 2E 79 6C 70 6F 69 6E 74 2E 30 2D 31 33 :<b.ylpoint.0-13 030 : 31 65 31 xxxxxxxxxxxxxxxxxx37 6 74 72 69 6D 62 1e17f-64f0.trimb 040 : 6C 65 2E 63 6F 6D 2E 2D 6B 61ddddddddddddddd 6E le.com.-kxxxxxxx 050 : 5Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 67 xxxxxxxx@mail3.g 060 : 70 6D 6E 65 74 2E 63 6F 6D 3E 20 53 49 5A 45 3D pmnet.com> SIZE= 070 : 35 36 39 35 0D 0A 52 43 50 54 20 54 6F 3A 3C 6B 5695..RCPT To:<k 080 : 61 74 68 6C 65 65 6E 5F 6D 63 6E 65 69 6C 79 40 xxxxxxxxxxxxxxx@ 090 : 74 72 69 6D 62 6C 65 2E 63 6F 6D 3E 0D 0A 44 41 trimble.com>..DA 0a0 : 54 41 0D 0A 52 65 63 65 69 76 65 64 3A 20 28 66 TA..Received: (f 0b0 : 72 6F 6D 20 64 61 65 6D 6F 6E 40 6C 6F 63 61 6C rom daemon@local 0c0 : 68 6F 73 74 29 0D 0A 09 62 79 20 6D 61 69 6C 33 host)...by mail3 stuff deleted 900 : 65 77 20 59 6F 72 6B 2C 20 4E 59 20 31 30 30 32 ew York, NY 1002 910 : 33 2E 0D 0A 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3...<><><><><><> 920 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><> 930 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><> 940 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><> 950 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 0D 0A 0D 0A 54 6F <><><><><>....To 960 : 20 75 6E 73 75 62 73 63 72 69 62 65 2C 20 67 6F unsubscribe, go Well - that ain't one packet now is it... Length 2625, and a whole bunch of SMTP commands followed by data. I have tested that SMTP server, and it doesn't support pipelining, so there's no way that happened as one packet. Any ideas what's going on there? This is Snort-2.0 under RH-7 preprocessor frag2 preprocessor stream4: disable_evasion_alerts, detect_scans, timeout 30, memcap 8388608 ttl_limit 0 preprocessor stream4_reassemble: noalerts, both, ports 21 23 25 53 80 3128 143 110 111 513 8000 8080 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives due to stream4 issue? Jason Haar (Apr 29)
- Re: False positives due to stream4 issue? Matt Kettler (Apr 29)
- Re: False positives due to stream4 issue? Jason Haar (Apr 29)
- Re: False positives due to stream4 issue? Matt Kettler (Apr 29)