[Snort-sigs] False Positive on SMTP HELO Overflow

Ron Shuck rshuck at ...1408...
Mon Apr 28 13:11:04 EDT 2003


Hi All,

I have been getting a lot of false positives on this SID if the connect
terminates. What would be bad about adding a dsize value? Can't be an
overflow if the payload isn't a least 500. I have added a "dsize: >499;"
to my rule.

Any thoughts?

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt"; flow:to_server,established; content:"HELO "; dsize: >499;
offset:0; depth:5; content:!"|0a|"; within:500;
reference:cve,CVE-2000-0042; reference:nessus,10324;
classtype:attempted-admin; sid:1549; rev:9;)


Thanks,


Ron Shuck, CISSP, GCIA - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org




More information about the Snort-sigs mailing list