Snort mailing list archives
Re: SMTP content-type overflow rule question
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 Dec 2010 16:46:21 -0500
The current version basically says "Not a return or a new line for 300 characters". So it seems to me that the buffer overflow is a Content-Type string that is 300 bytes or larger long. J On Fri, Dec 3, 2010 at 1:27 PM, Bobby Venal <bobby.venal () gmail com> wrote:
Hi all, An organization I work with had an older version of the 'SMTP Content-Type overflow' rule in place; it was using this PCRE: "/^Content-Type\x3A[^\x0d\x0a]{300,}$/im" I noticed that the current version is this: "/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi" And I just wanted to make sure I understood one of the differences. Am I correct in thinking that: {300,}$ means "at least 300 occurrences of the preceding character class, then end-of-line and {300} mean "exactly 300 occurrences of the preceding character class" ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler ------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: New IBM DB2 features make compatibility easy. Learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more - all designed to run applications on both DB2 and Oracle platforms. http://p.sf.net/sfu/oracle-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP content-type overflow rule question Bobby Venal (Dec 03)
- Re: SMTP content-type overflow rule question Joel Esler (Dec 03)
- Re: SMTP content-type overflow rule question Rich Graves (Dec 03)
- Re: SMTP content-type overflow rule question Joel Esler (Dec 03)