Snort mailing list archives
SMTP ETRN overflow attempt
From: "NO JUNK MAIL" <no_junk-mail () mail com>
Date: Tue, 06 May 2003 11:37:20 -0500
Hello I'm trying to modify this signature because it is being trigering "SMTP ETRN" alert when encrypted email come in that have "etrn" in them. Going throught the sessions, and raw packets, you can find "etrn" in the encryption algarithum that was generated. I'd like to narrow it up if possible. Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack. Snort Signature; alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;) Dragon Signature; T D A S 5 10 25 SMTP:ETRN etrn/0d They both only look for "etrn" and a carrige return. I'd like it a little longer Thanks Robert -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP ETRN overflow attempt NO JUNK MAIL (May 06)
- Re: SMTP ETRN overflow attempt Matt Kettler (May 06)