[Snort-sigs] False Positive on SMTP HELO Overflow
mkettler at ...189...
Mon Apr 28 13:57:07 EDT 2003
At 03:10 PM 4/28/2003 -0500, Ron Shuck wrote:
>I have been getting a lot of false positives on this SID if the connect
>terminates. What would be bad about adding a dsize value? Can't be an
>overflow if the payload isn't a least 500. I have added a "dsize: >499;"
>to my rule.
Tcp is a stream protocol. The overflow can be delivered one byte at a time
and still work.
More information about the Snort-sigs