[Snort-sigs] SMTP-EXPN-ROOT problem, again.

dhenderson at ...87... dhenderson at ...87...
Thu Aug 30 12:14:52 EDT 2001

I just noticied a previous posting by John Berkers that lists some 
snort rules with bad references ti arachnids id numbers ; the 
smtp-expn-root rule was listed as one of them.

I also noticied that this rule has a wrong arachnids reference number, 
and I am wondering how the snort rules are kept in sync with the 
arachnids database. In the arachnids database, the name of the rule is 
one which would not match the content (and also includes the IDS#).

What is the process for submitting a suggested rule fix? If this forum 
is appropriate, here are my suggesed rule fixes for the smtp-expn-root 
and smtp-expn-decode rules:

alert tcp $EXTERNAL_NET any -> $SMTP 25 
(msg:"IDS32/smtp-expn-decode";flags: A+; content:"expn decode"; nocase; 
reference:arachnids,32; classtype:attempted-recon; sid:659; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP 25 
(msg:"IDS31/smtp-expn-root";flags: A+; content:"expn root"; nocase; 
reference:arachnids,31; classtype:attempted-recon; sid:660; rev:1;)


David Henderson

