Re: smtp: Attempted command buffer overflow

[Phil Daws <uxbod () splatnix net>]

Manuel, 

thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of bytes 
in the HELO/EHLO line was > 512 as defined by : 

max_command_line_len 512 

in the preprocessor section of snort.conf. 

Am I wrong in my understanding ? 

Thanks.


----- Original Message ----- 
From: "Manuel Garcia-Zamora" <zamoram () uk innovation-group com> 
To: "Phil Daws" <uxbod () splatnix net> 
Sent: Wednesday, 17 April, 2013 9:33:57 AM 
Subject: RE: smtp: Attempted command buffer overflow 

Phil 
This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email 
servers in the configuration file therefore this is not an authorized email relay server to connect by smtp. 

You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the 
this alert by source IP 

Regards 

Manuel 

-----Original Message----- 
From: Phil Daws [mailto:uxbod () splatnix net] 
Sent: 17 April 2013 09:07 
To: snort-users () lists sourceforge net 
Subject: [Snort-users] smtp: Attempted command buffer overflow 

Hello, 

have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. 
Looking at the payload data it shows: 

0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net 
000001A: 0d 0a .. 

this to an untrained eye looks okay so why would it be tripping the test ? 

Thanks. 

------------------------------------------------------------------------------ 
Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform 
includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data 
analysis & visualization. Get a free account! 
http://www2.precog.com/precogplatform/slashdotnewsletter 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 

Please visit http://blog.snort.org to stay current on all the latest Snort news! 

________________________________________________________________________ 
Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this 
email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient 
at the email address to which it has been addressed. 

This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it 
be copied in any way. If you have received this email in error, please forward a copy of this email to itsupport () uk 
innovation-group com and then delete it from your system. 

The Innovation Group PLC: Registered in England 3256771 
Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK 
http://www.innovation-group.com 

This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender 
accept any responsibility for computer viruses once this email has been transmitted. 

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!