[Snort-sigs] False Positive on SMTP HELO Overflow

Matt Kettler mkettler at ...189...
Mon Apr 28 13:57:07 EDT 2003


At 03:10 PM 4/28/2003 -0500, Ron Shuck wrote:
>I have been getting a lot of false positives on this SID if the connect
>terminates. What would be bad about adding a dsize value? Can't be an
>overflow if the payload isn't a least 500. I have added a "dsize: >499;"
>to my rule.
>
>Any thoughts?


Tcp is a stream protocol. The overflow can be delivered one byte at a time 
and still work.






More information about the Snort-sigs mailing list