[Snort-sigs] SMTP-EXPN-ROOT problem, again.

Brian Caswell bmc at ...8...
Thu Aug 30 16:06:10 EDT 2001

dhenderson at ...87... wrote:
> What is the process for submitting a suggested rule fix? 

Doing exactly as you did.  I thank you very much for that.

> alert tcp $EXTERNAL_NET any -> $SMTP 25
> (msg:"IDS32/smtp-expn-decode";flags: A+; content:"expn decode"; nocase;
> reference:arachnids,32; classtype:attempted-recon; sid:659; rev:1;)

Uh... there is nothing different except the name.  arachnids is no
longer being maintained.  Adding IDS32/ increases the space needed by 5
characters.  It is preferable to let the user decide if he wants to see
the references or not.

> alert tcp $EXTERNAL_NET any -> $SMTP 25
> (msg:"IDS31/smtp-expn-root";flags: A+; content:"expn root"; nocase;
> reference:arachnids,31; classtype:attempted-recon; sid:660; rev:1;)

Good catch.  One of the problems we have been struggling against (But
are working hard at correcting) is multiple maintainers without a review

We are working towards having a better maintained and administrated
ruleset, but these things are not born overnight.  Even "The Great Max
Vision" [0] has had errors in his rulesets.

As I have stated before, this is a community project.  If you find
something you want to change, well... offer up a solution.  He who
writes the code rules the world. 

[0] I have nothing against max, but I am slightly tired of the "Why
can't you do things more like max?" questions.

Brian Caswell
The MITRE Corporation

More information about the Snort-sigs mailing list