Snort mailing list archives
Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow
From: Irish Settingg <irishsetting () gmail com>
Date: Wed, 4 Feb 2015 01:24:34 +0530
I basically wanted to know, this being a protocol based signature....what in the protocol triggers this....can an email have a header size of more than 64 bytes in normal circumstances. If yes this signature may be suppressed. Also can we make any change in a preprocessor rule to fit our environment On 3 February 2015 at 19:06, Jason Wallace <jason.r.wallace () gmail com> wrote:
Take a look at the reference. CVE-2004-0105 is related to Metamail version 2.7. If you are not using Metamail, or if the version is greater than 2.7 then you don't need to enable this rule. On Mon, Feb 2, 2015 at 5:24 PM, Irish Settingg <irishsetting () gmail com> wrote:We have SNORT IDS in our environment and we are receiving a lot of such alerts - [124:7:1] smtp: Attempted header name buffer overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal IP:46125 -> Internal SMTP Server:25 Rule - [image: Inline images 2] What is this rule actually looking for and what does the preprocessor rule do here..... Do We get false positives due to this.... For the Signature above one forum suggested that if the email headers are more than 64 characters - the alert gets triggered. I know that this rule is not a REGEX based rule but how does it check in the traffic if the header is not normal. Basically I want to know if this rule is of any use or not. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 02)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)