[Snort-sigs] SMTP HELO overflow

Ian Macdonald secsnortsigs at ...644...
Wed Aug 14 09:28:03 EDT 2002


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt
"; flags:A+; dsize:>500; content:"HELO "; offset:0; depth:5;
reference:cve,CVE-2
000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549;
rev:8;)


Please Update to

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt
"; flags:A+; dsize:>500; content:"HELO "; offset:0; depth:5; content: !"|0D
0A|MAIL FROM:"; reference:cve,CVE-2
000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549;
rev:9;)


This should eliminate false positives for this kind of data

HELO XXX.com
MAIL FROM:<XXX at ...756...>
RCPT TO:<XXXX at ...757...>
DATA






More information about the Snort-sigs mailing list