[Snort-sigs] SMTP-EXPN-ROOT problem, again.

Tracy R Reed treed at ...91...
Thu Aug 30 16:43:40 EDT 2001


This is funny. A moment ago snort alerted me that someone did an expn root
on this box. Then I check my snort mail and find that the topic is being
discussed. Coincidence? I think not. :)

I think this may be discussed in another thread but is there any way to
tell snort to only look for expn root type stuff before DATA in smtp
protocol? I think I may as well just turn these rules off since I'm
running qmail and definitely not vulnerable anyhow.

On Thu, Aug 30, 2001 at 01:06:10PM -0700, Brian Caswell wrote:
> dhenderson at ...87... wrote:
> > What is the process for submitting a suggested rule fix? 
> 
> Doing exactly as you did.  I thank you very much for that.
> 
> > alert tcp $EXTERNAL_NET any -> $SMTP 25
> > (msg:"IDS32/smtp-expn-decode";flags: A+; content:"expn decode"; nocase;
> > reference:arachnids,32; classtype:attempted-recon; sid:659; rev:1;)
> 
> Uh... there is nothing different except the name.  arachnids is no
> longer being maintained.  Adding IDS32/ increases the space needed by 5
> characters.  It is preferable to let the user decide if he wants to see
> the references or not.
> 
> > alert tcp $EXTERNAL_NET any -> $SMTP 25
> > (msg:"IDS31/smtp-expn-root";flags: A+; content:"expn root"; nocase;
> > reference:arachnids,31; classtype:attempted-recon; sid:660; rev:1;)
> 
> Good catch.  One of the problems we have been struggling against (But
> are working hard at correcting) is multiple maintainers without a review
> process.
> 
> We are working towards having a better maintained and administrated
> ruleset, but these things are not born overnight.  Even "The Great Max
> Vision" [0] has had errors in his rulesets.
> 
> As I have stated before, this is a community project.  If you find
> something you want to change, well... offer up a solution.  He who
> writes the code rules the world. 
> 
> [0] I have nothing against max, but I am slightly tired of the "Why
> can't you do things more like max?" questions.
> 
> -- 
> Brian Caswell
> The MITRE Corporation
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
-- 
Tracy Reed      http://www.ultraviolet.org
Windows is the only operating system. Microsoft invented the graphical
interface, the 32 bit operating system, and multi-tasking. Microsoft is open,
standard, and innovative. Microsoft wants what is best for consumers. We have
always been at war with Oceana.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20010830/dbc942c9/attachment.sig>


More information about the Snort-sigs mailing list