Snort mailing list archives
SMTP preprocessor triggering on incorrect data
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 19 Sep 2006 07:12:03 +1200
I just had an FP event generated by the SMTP preprocessor # smtp: SMTP normalizer, protocol enforcement and buffer overflow preprocessor smtp: ports { 25 587 } ignore_tls_data ignore_data inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } The event was "Attempted specific command buffer overflow: HELP, 941 chars", but the captured packet shows the word help was actually within the DATA component of the SMTP stream - not a SMTP command. It was from one of our internal Exchange servers to another Exchange server, so I assume their initial SMTP dialog was vaguely compliant. :-) This is snort 2.6.0.2 under RHE4 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP preprocessor triggering on incorrect data Jason Haar (Sep 18)