Snort mailing list archives
Re: chameleon overflow
From: Brian Caswell <bmc () mitre org>
Date: Fri, 08 Jun 2001 18:41:12 -0400
Paulie wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261 - SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: >500; depth: 10;) So basically it alarms on any inbound smtp packet big enough and with the ever so infrequent word HELP in it.
Well, Any SMTP packet big enough that is larger than 500 that includes the word help in the first 10 characters of the packet. Both arachnids and the snort.org rulesets have had this rule modified for quite some time. Upgrade your ruleset. The current rule content/depth is content:"HELP "; depth:5; That should help cut down on the false positives. -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- chameleon overflow Matt Hand (Jun 08)
- Re: chameleon overflow Ralf Hildebrandt (Jun 08)
- Re: chameleon overflow Paulie (Jun 08)
- Re: chameleon overflow Brian Caswell (Jun 08)
- <Possible follow-ups>
- Re: chameleon overflow Matthew Collins (Jun 11)
- CVS or 1.7? Jay Moore (Jun 11)
- Re: CVS or 1.7? Andreas Hasenack (Jun 11)
- CVS or 1.7? Jay Moore (Jun 11)