[Snort-sigs] Sendmail Signature
mkettler at ...189...
Fri Apr 4 13:31:05 EST 2003
He's actually looking for a signature for the latest sendmail exploit (CERT
CA-2003-12) . As far as I know, nobody's written a signature.
Since this is a buffer-overflow in mime decoding, I don't think a
general-case snort rule for this exploit will be possible. There's too many
permutations possible for a simple signature to detect it. It might be
possible to write a dedicated preprocessor to examine it.
However, should a given rootkit or worm start exploiting this, it should be
easy to signature that particular form of exploit for the issue.
Really, with the max mime header length option in the latest sendmail, this
should be sufficient on it's own to detect attack attempts against a single
server, but doesn't give you network-wide visibility.
At 08:41 AM 4/4/2003 -0500, Bennett Todd wrote:
>On Fri, Apr 04, 2003 at 12:41:54AM -0800, linux snort wrote:
> > Is Sendmail Signature is released?
>Here you go, hope this helps.
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"He said sendmail!";
> content:"sendmail"; nocase; flow:to_client,established;
> classtype:kickass-porn; sid:1000666; rev:1;)
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs