Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow

[Irish Settingg <irishsetting () gmail com>]

We have SNORT IDS in our environment and we are receiving a lot of such
alerts -

[124:7:1] smtp: Attempted header name buffer overflow [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal
IP:46125 -> Internal SMTP Server:25


Rule - [image: Inline images 2]


What is this rule actually looking for and what does the preprocessor rule
do here.....


Do We get false positives due to this....

For the Signature above one forum suggested that if the email headers are
more than 64 characters - the alert gets triggered. I know that this rule
is not a REGEX based rule but how  does it check in the traffic if the
header is not normal. Basically I want to know if this rule is of any use
or not.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!