Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SMTP preprocessor triggering on incorrect data

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 19 Sep 2006 07:12:03 +1200
I just had an FP event generated by the SMTP preprocessor

# smtp: SMTP normalizer, protocol enforcement and buffer overflow
preprocessor smtp:   ports { 25 587 }   ignore_tls_data ignore_data  
inspection_type stateful   normalize cmds   normalize_cmds { EXPN VRFY
RCPT }   alt_max_command_line_len 260 { MAIL }  
alt_max_command_line_len 300 { RCPT }   alt_max_command_line_len 500 {
HELP HELO ETRN }   alt_max_command_line_len 255 { EXPN VRFY }


The event was "Attempted specific command buffer overflow: HELP, 941
chars", but the captured packet shows the word help was actually within
the DATA component of the SMTP stream - not a SMTP command. It was from
one of our internal Exchange servers to another Exchange server, so I
assume their initial SMTP dialog was vaguely compliant. :-)

This is snort 2.6.0.2 under RHE4


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: