Snort mailing list archives
RE: False positives
From: "Cessna, Michael" <MCessna () rtm com>
Date: Tue, 30 Oct 2001 09:58:53 -0500
This rule triggers on a Lotus Domino Mail Server overflow error. Do you have a Domino Mail server? If not comment out the rule. I had a bunch of these false positives with Exchange so I simply commented out the rule. Here's the CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260 Mike -----Original Message----- From: Chris Osicki [mailto:osk () gd2 swissptt ch] Sent: Tuesday, October 30, 2001 9:11 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] False positives Hi, I'm trying to reduce the number of false positives I'm getting. One of the "over sensitive" rule is this one: alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content: "rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;) which alarms every time there is a packet containing "rcpt to:" and the packet payload is more than 800 bytes. Which is not necessarily the length of recipients list to "rcpt to:". [fire-proof overalls on] Having a kind of limited regular expressions or wild-cards and a way to reference the size of the matched string would be, at least in this case, useful. Like `content: "rcpt to|3a|*|0d 0a|"; msize:>800' I don't have enough experience with snort to estimate how useful could it be to help detect other buffer overflows. Just wanted to share my thoughts. Regards, Chris _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives Chris Osicki (Oct 30)
- <Possible follow-ups>
- RE: False positives Cessna, Michael (Oct 30)
- Re: False positives Chris Osicki (Oct 30)