Snort mailing list archives
Re: smtp: Attempted command buffer overflow
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Fri, 19 Apr 2013 13:12:27 -0400
Phil, This looks like a FP. Do you happen to have a pcap for this? I will file a bug to fix this. Thanks! -B On Fri, Apr 19, 2013 at 11:33 AM, Phil Daws <uxbod () splatnix net> wrote:
Hello Shane, I am beginning to agree as its FP'ing Google, Sourceforge and many more WL sources. Am going to supress those as something is not right at all. Thanks. ----- Original Message ----- From: "Shane Castle" <scastle () bouldercounty org> To: "Phil Daws" <uxbod () splatnix net>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Sent: Friday, 19 April, 2013 4:25:57 PM Subject: RE: smtp: Attempted command buffer overflow Every one of these I have ever investigated has turned out to be FP. I have a full NSM installation so I can examine the complete conversation. I have wound up suppressing the more chatty alerts in threshold.conf. I'm on the point of disabling the smtp preprocessor entirely but I keep hoping it's doing something useful. The ones I am suppressing are 124:1, 124:7, and 124:10. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Phil Daws [mailto:uxbod () splatnix net] Sent: Friday, April 19, 2013 01:38 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] smtp: Attempted command buffer overflow Still seeing a huge amount of these and the payload does not appear to be over the threshold. How would one best analyze why this is happening ? Thanks. ----- Original Message ----- From: "Phil Daws" <uxbod () splatnix net> To: snort-users () lists sourceforge net Sent: Wednesday, 17 April, 2013 1:38:06 PM Subject: Re: [Snort-users] smtp: Attempted command buffer overflow Manuel, thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of bytes in the HELO/EHLO line was > 512 as defined by : max_command_line_len 512 in the preprocessor section of snort.conf. Am I wrong in my understanding ? Thanks. ----- Original Message ----- From: "Manuel Garcia-Zamora" <zamoram () uk innovation-group com> To: "Phil Daws" <uxbod () splatnix net> Sent: Wednesday, 17 April, 2013 9:33:57 AM Subject: RE: smtp: Attempted command buffer overflow Phil This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email servers in the configuration file therefore this is not an authorized email relay server to connect by smtp. You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the this alert by source IP Regards Manuel -----Original Message----- From: Phil Daws [mailto:uxbod () splatnix net] Sent: 17 April 2013 09:07 To: snort-users () lists sourceforge net Subject: [Snort-users] smtp: Attempted command buffer overflow Hello, have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. Looking at the payload data it shows: 0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net 000001A: 0d 0a .. this to an untrained eye looks okay so why would it be tripping the test ? Thanks. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ________________________________________________________________________ Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient at the email address to which it has been addressed. This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it be copied in any way. If you have received this email in error, please forward a copy of this email to itsupport () uk innovation-group com and then delete it from your system. The Innovation Group PLC: Registered in England 3256771 Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK http://www.innovation-group.com This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender accept any responsibility for computer viruses once this email has been transmitted. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- smtp: Attempted command buffer overflow Phil Daws (Apr 17)
- <Possible follow-ups>
- Re: smtp: Attempted command buffer overflow Phil Daws (Apr 17)
- Re: smtp: Attempted command buffer overflow Phil Daws (Apr 19)
- Re: smtp: Attempted command buffer overflow waldo kitty (Apr 19)
- Re: smtp: Attempted command buffer overflow Castle, Shane (Apr 19)
- Re: smtp: Attempted command buffer overflow Phil Daws (Apr 19)
- Re: smtp: Attempted command buffer overflow Bhagya Bantwal (Apr 19)
- Re: smtp: Attempted command buffer overflow Phil Daws (Apr 19)