How to tune two rules?

["Turnbough, Bradley E." <bturnbough () belcan com>]

Guys,

I'm pretty new at using snort, and I'm trying to tune two rules.

Can someone please tell me how to tune these two rules?

gen_id 124, sig_id 7  -- smtp: Attempted header name buffer overflow

gen_id 124, sig_id 1  -- smtp: Attempted command buffer overflow

My sensor is sitting in between my SMTP relays on the outside and my firewall, and I get several thousand of these 
daily.  I'm sure a majority of them are false positives, but none-the-less I need to tune this wild animal.


Thanks,

Brad
_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!