SMTP ETRN overflow attempt

["NO JUNK MAIL" <no_junk-mail () mail com>]

Hello

I'm trying to modify this signature because it is being trigering "SMTP ETRN" alert when encrypted email come in that 
have "etrn" in them.   Going throught the sessions, and raw packets, you can find "etrn" in the encryption algarithum 
that was generated.  I'd like to narrow it up if possible.  Would anybody have a raw packet or more info on what the 
packet looks like when it is a lagitamite attack.  

Snort Signature;

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; 
content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; 
classtype:attempted-admin; sid:1550; rev:6;) 

Dragon Signature;

T D A S 5 10 25 SMTP:ETRN etrn/0d

They both only look for "etrn" and a carrige return.  I'd like it a little longer

Thanks 

Robert

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users