[Snort-sigs] Experimental 1550 and 1549, wrong port

William Stearns wstearns at ...157...
Sat Apr 27 22:18:01 EDT 2002


Good day, all,
	Sids 1550 and 1549, as of the cvs tar file from 20020427, refer to 
port 21 instead of 25.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPERIMENTAL SMTP ETRN 
overflow attempt"; flags:A+; flow:to_server; dsize:>500; content:"ETRN "; 
offset:0; depth:5; reference:cve,CAN-2000-0490; classtype:attempted-admin; 
sid:1550; rev:1;)     

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPERIMENTAL SMTP HELO 
overflow attempt"; flags:A+; flow:to_server; dsize:>500; content:"HELO "; 
offset:0; depth:5; reference:cve,CVE-2000-0042; classtype:attempted-admin; 
sid:1549; rev:2;)     

	Oh, by the way.  Although experimental.rules is listed in the 
snortrules.tar.gz/rules/snort.conf file (albeit commented out), the file 
itself can only be found in the full snort.tar.gz.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "My Operat~1 System supports long filena~1, does yours?"
(Courtesy of mike <mike at ...562...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at:                        http://www.stearns.org
--------------------------------------------------------------------------






More information about the Snort-sigs mailing list