Re: How to tune two rules?

[waldo kitty <wkitty42 () windstream net>]

On 8/8/2013 09:31, Turnbough, Bradley E. wrote:
> Guys,
>
> I'm pretty new at using snort, and I'm trying to tune two rules.
>
> Can someone please tell me how to tune these two rules?
>
> gen_id 124, sig_id 7  -- smtp: Attempted header name buffer overflow
>
> gen_id 124, sig_id 1  -- smtp: Attempted command buffer overflow
>
> My sensor is sitting in between my SMTP relays on the outside and my
> firewall, and I get several thousand of these daily.  I'm sure a majority of
> them are false positives, but none-the-less I need to tune this wild animal.

what are your settings for the smtp preprocessor? unless i'm mistaken, that's 
where these alerts originate... you may be able to adjust these specific items 
to fit your environment...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!