Snort mailing list archives
False positives with SMTP RCPT TO overflow rule
From: "Nels Lindquist" <nlindq () maei ca>
Date: Tue, 25 Jun 2002 11:09:04 -0600
Hi there. I just updated my signatures to the latest ones (as of June 24, anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO overflow. Looking at the payloads in ACID, every one of the alerts appears to be a false positive, ie, part of a legitimate SMTP conversation. I did a comparison between the older version of the signature I was using previously, and the only difference is the addition of the "nocase" option.
From what I can tell, the rule is looking for "rcpt to:" followed by
more than 800 bytes worth of data. Looking at the payload, the rule seems to be following the entire SMTP conversation, rather than just the RCPT TO fragment. Attached is an example. So what's going on here? Should I just "pass" the rule, or should the rule be altered somehow to be more specific? Thanks for any advice. ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc.
The following section of this message contains a file attachment prepared for transmission using the Internet MIME message format. If you are using Pegasus Mail, or any another MIME-compliant system, you should be able to save it or view it from within your mailer. If you cannot, please ask your system administrator for assistance. ---- File information ----------- File: payload.txt Date: 25 Jun 2002, 11:07 Size: 13627 bytes. Type: Text
Attachment:
payload.txt
Description:
Current thread:
- False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Chris Green (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- <Possible follow-ups>
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 26)