Snort mailing list archives
Re: SMTP decoder
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 11 Feb 2015 21:50:50 +0000
You’ve got your two alternatives there. Raise the limit, or suppress the alert. Ask yourself what your action is going to be there. “What am I going to do about a big SMTP server command”, if the answer is “nothing”, then suppress the alert. If the answer is anything else, then use your best judgement as to what action you should take. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Feb 11, 2015, at 9:51 AM, Dan Roberts <danroberts2604 () gmail com<mailto:danroberts2604 () gmail com>> wrote: Hello guys, I'm running SNORT since a few months now, and I still get a lot of alerts like: "(smtp) Attempted command buffer overflow: more than 512 chars ...." In the snort.conf file, we find following parameter for the smtp decoder: "max_command_line_len 512" Although the maximum command line length is "strictly" limited to 512 by RFC 821 (HELO), the RFC 1869 (EHLO) authorize the extension of this limit: ... This specification extends the SMTP MAIL FROM and TO to allow additional parameters and parameter values. It is possible that the MAIL FROM and RCPT TO lines that result will exceed the 512 character limit on command line length imposed by RFC 821. ..." How do you, guys, manage this ? Do you simply consider these alerts as FP ? Have you raised the max_command_line_len limit ? Cheers ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SMTP decoder Dan Roberts (Feb 11)
- Re: SMTP decoder Joel Esler (jesler) (Feb 11)
- Re: SMTP decoder waldo kitty (Feb 12)
- Re: SMTP decoder Joel Esler (jesler) (Feb 11)