Snort mailing list archives
XEXCH50 evasion rule parse problems?
From: "Erik Norman" <erik.norman () datagram se>
Date: Wed, 26 Nov 2003 11:27:36 +0100
Hi all, Starting from this morning, I'm getting alarms regarding XEXCH50 evasion attempt (sid 2253, 2254). In my opinion, the conditions for that rule is not met, but still generates an alarm! More detailed information below. Now what? Is this a known issue? As I'm not participating in snort-users list, please cc me in case of a reply. Btw, snort rules! Thank you guys. /Erik The rule -------- The rule says that a '-' should be within 1 distance away from the XEXCH50 keyword. Right? ...msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-"; distance:1;... Packet extract -------------- -snip- 50 x () xxxxx xx>..RCP -snip- 76 T TO:<xxx.xxxxxx -snip- 0A xxx () xxxxxx xx>.. -snip- 0A XEXCH50 1940 2.. Platform -------- Snort 2.0.4 on NetBSD 1.6.1 ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- XEXCH50 evasion rule parse problems? Erik Norman (Dec 03)