[Snort-sigs] Sendmail Signature

Matt Kettler mkettler at ...189...
Fri Apr 4 13:31:05 EST 2003

He's actually looking for a signature for the latest sendmail exploit (CERT 
CA-2003-12) . As far as I know, nobody's written a signature.

Since this is a buffer-overflow in mime decoding, I don't think a 
general-case snort rule for this exploit will be possible. There's too many 
permutations possible for a simple signature to detect it. It might be 
possible to write a dedicated preprocessor to examine it.

However, should a given rootkit or worm start exploiting this, it should be 
easy to signature that particular form of exploit for the issue.

Really, with the max mime header length option in the latest sendmail, this 
should be sufficient on it's own to detect attack attempts against a single 
server, but doesn't give you network-wide visibility.

At 08:41 AM 4/4/2003 -0500, Bennett Todd wrote:
>On Fri, Apr 04, 2003 at 12:41:54AM -0800, linux snort wrote:
> > Is Sendmail Signature is released?
>Here you go, hope this helps.
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"He said sendmail!";
>         content:"sendmail"; nocase; flow:to_client,established;
>         classtype:kickass-porn; sid:1000666; rev:1;)
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list