Snort mailing list archives
Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Thu, 12 May 2011 12:38:35 -0400
This on 2.9.0.5? Cheers, -matt On Wed, May 11, 2011 at 4:43 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:
On 5/11/2011 8:29 PM, Matt Watchinski wrote:You got a full capture that replicates? Also any differences in your conf from the VRT conf? Cheers, -mattDon't have PCAP on this stuff unfortunately. Conf should be the same as VRT's almost to the letter. Below is the smtp preproc section: preprocessor smtp: ports { 25 465 587 691 } \ inspection_type stateful \ enable_mime_decoding \ max_mime_depth 20480 \ normalize cmds \ normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ max_command_line_len 512 \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ xlink2state { enabled } -- Eoin
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 12)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 11)