Snort mailing list archives

Re: chameleon overflow

From: Brian Caswell <bmc () mitre org>
Date: Fri, 08 Jun 2001 18:41:12 -0400

Paulie wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261
- SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: >500;
depth: 10;)

So basically it alarms on any inbound smtp packet big enough and with the
ever so infrequent word HELP in it.


Well, Any SMTP packet big enough that is larger than 500 that includes
the word help in the first 10 characters of the packet.

Both arachnids and the snort.org rulesets have had this rule modified
for quite some time.  Upgrade your ruleset.

The current rule content/depth is content:"HELP "; depth:5;

That should help cut down on the false positives.

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

chameleon overflow Matt Hand (Jun 08)
- Re: chameleon overflow Ralf Hildebrandt (Jun 08)
- Re: chameleon overflow Paulie (Jun 08)
  - Re: chameleon overflow Brian Caswell (Jun 08)
- <Possible follow-ups>
- Re: chameleon overflow Matthew Collins (Jun 11)
  - CVS or 1.7? Jay Moore (Jun 11)
    - Re: CVS or 1.7? Andreas Hasenack (Jun 11)