Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Correct Link for the Snort Virtual Users Group

From: Mike Guiterman <mike.guiterman () sourcefire com>
Date: Tue, 19 Sep 2006 09:37:27 -0400
Hi all,

My apologies for the bad link.  The correct link to register for the Virtual
Users Group is below:

https://sourcefire.webex.com/sourcefire/j.php?ED=86930197&RG=1


Mike


On 9/18/06 10:51 PM, "snort-users-request () lists sourceforge net"
<snort-users-request () lists sourceforge net> wrote:


Send Snort-users mailing list submissions to
snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net

You can reach the person managing the list at
snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. SMTP preprocessor triggering on incorrect data (Jason Haar)
   2. Inaugural Snort Virtual Users Group Meeting Sept. 28
      (Mike Guiterman)
   3. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28
      (Will Metcalf)
   4. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28 (Jason)
   5. Re: error: log_tcpdump TcpdumpInitlogefile():no error (Joel Esler)


----------------------------------------------------------------------

Message: 1
Date: Tue, 19 Sep 2006 07:12:03 +1200
From: Jason Haar <Jason.Haar () trimble co nz>
Subject: [Snort-users] SMTP preprocessor triggering on incorrect data
To: snort-users () lists sourceforge net
Message-ID: <450EEF83.3040003 () trimble co nz>
Content-Type: text/plain; charset=ISO-8859-1

I just had an FP event generated by the SMTP preprocessor

# smtp: SMTP normalizer, protocol enforcement and buffer overflow
preprocessor smtp:   ports { 25 587 }   ignore_tls_data ignore_data
inspection_type stateful   normalize cmds   normalize_cmds { EXPN VRFY
RCPT }   alt_max_command_line_len 260 { MAIL }
alt_max_command_line_len 300 { RCPT }   alt_max_command_line_len 500 {
HELP HELO ETRN }   alt_max_command_line_len 255 { EXPN VRFY }


The event was "Attempted specific command buffer overflow: HELP, 941
chars", but the captured packet shows the word help was actually within
the DATA component of the SMTP stream - not a SMTP command. It was from
one of our internal Exchange servers to another Exchange server, so I
assume their initial SMTP dialog was vaguely compliant. :-)

This is snort 2.6.0.2 under RHE4





-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: