Snort mailing list archives
Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 3 Feb 2015 08:36:46 -0500
Take a look at the reference. CVE-2004-0105 is related to Metamail version 2.7. If you are not using Metamail, or if the version is greater than 2.7 then you don't need to enable this rule. On Mon, Feb 2, 2015 at 5:24 PM, Irish Settingg <irishsetting () gmail com> wrote:
We have SNORT IDS in our environment and we are receiving a lot of such alerts - [124:7:1] smtp: Attempted header name buffer overflow [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal IP:46125 -> Internal SMTP Server:25 Rule - [image: Inline images 2] What is this rule actually looking for and what does the preprocessor rule do here..... Do We get false positives due to this.... For the Signature above one forum suggested that if the email headers are more than 64 characters - the alert gets triggered. I know that this rule is not a REGEX based rule but how does it check in the traffic if the header is not normal. Basically I want to know if this rule is of any use or not. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 02)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Irish Settingg (Feb 03)
- Re: Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow Jason Wallace (Feb 03)