[Snort-sigs] Experimental 1550 and 1549, wrong port
William Stearns
wstearns at ...157...
Sat Apr 27 22:18:01 EDT 2002
Good day, all,
Sids 1550 and 1549, as of the cvs tar file from 20020427, refer to
port 21 instead of 25.
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPERIMENTAL SMTP ETRN
overflow attempt"; flags:A+; flow:to_server; dsize:>500; content:"ETRN ";
offset:0; depth:5; reference:cve,CAN-2000-0490; classtype:attempted-admin;
sid:1550; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPERIMENTAL SMTP HELO
overflow attempt"; flags:A+; flow:to_server; dsize:>500; content:"HELO ";
offset:0; depth:5; reference:cve,CVE-2000-0042; classtype:attempted-admin;
sid:1549; rev:2;)
Oh, by the way. Although experimental.rules is listed in the
snortrules.tar.gz/rules/snort.conf file (albeit commented out), the file
itself can only be found in the full snort.tar.gz.
Cheers,
- Bill
---------------------------------------------------------------------------
"My Operat~1 System supports long filena~1, does yours?"
(Courtesy of mike <mike at ...562...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.stearns.org
--------------------------------------------------------------------------
More information about the Snort-sigs
mailing list