Snort mailing list archives

Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Thu, 12 May 2011 12:38:35 -0400

This on 2.9.0.5?

Cheers,
-matt

On Wed, May 11, 2011 at 4:43 PM, Eoin Miller
<eoin.miller () trojanedbinaries com> wrote:

On 5/11/2011 8:29 PM, Matt Watchinski wrote:


You got a full capture that replicates?  Also any differences in your
conf from the VRT conf?

Cheers,
-matt


Don't have PCAP on this stuff unfortunately. Conf should be the same as
VRT's almost to the letter. Below is the smtp preproc section:


preprocessor smtp: ports { 25 465 587 691 } \
   inspection_type stateful \
   enable_mime_decoding \
   max_mime_depth 20480 \
   normalize cmds \
   normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
ESOM ETRN EVFY } \
   normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
SAML SEND SOML } \
   normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
   normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
XLICENSE XQUE XSTA XTRN XUSR } \
   max_command_line_len 512 \
   max_header_line_len 1000 \
   max_response_line_len 512 \
   alt_max_command_line_len 260 { MAIL } \
   alt_max_command_line_len 300 { RCPT } \
   alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
   alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
ESND ESOM EVFY IDENT NOOP RSET } \
   alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH
XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
   valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM
ETRN EVFY } \
   valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML
SEND SOML } \
   valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
   valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
XQUE XSTA XTRN XUSR } \
   xlink2state { enabled }


-- Eoin




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
- Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 11)
  - Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Eoin Miller (May 11)
    - Re: FP's for gen:124 sid:1 - smtp: Attempted command buffer overflow Matt Watchinski (May 12)