[Snort-sigs] False Positive on SMTP HELO Overflow
rshuck at ...1408...
Mon Apr 28 13:11:04 EDT 2003
I have been getting a lot of false positives on this SID if the connect
terminates. What would be bad about adding a dsize value? Can't be an
overflow if the payload isn't a least 500. I have added a "dsize: >499;"
to my rule.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt"; flow:to_server,established; content:"HELO "; dsize: >499;
offset:0; depth:5; content:!"|0a|"; within:500;
classtype:attempted-admin; sid:1549; rev:9;)
Ron Shuck, CISSP, GCIA - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
More information about the Snort-sigs