[Snort-sigs] False Positive on SMTP HELO Overflow

Matthew Callaway matt at ...1399...
Wed Apr 30 06:02:07 EDT 2003


Here is a new version of this signature that works correctly:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO
overflow attempt"; flow:to_server,established; content:"HELO ";
offset:0; depth:5; content:!"|0a|"; within:500; content: "?"; offset:
499; regex; reference:cve,CVE-2000-0042; reference:nessus,10324;
classtype:attempted-admin; sid:1549; rev:10;)

ie: "HELO " from byte 0 to 5, but no LF within 500 bytes, and at least
one char at 500 bytes.

I have tested this with snort-1.9.1 and it works.  I'm not sure if
snort-2.0.0 supports regex anymore.


-----------------------------------------------------
Matthew Callaway            | matt at ...1399...
Project Manager             | Tel: 608.294.6940
Firewall and VPN Technology | Fax: 608.294.6950
SecurePipe, Inc.            | Web: www.securepipe.com
-----------------------------------------------------

On Mon, 28 Apr 2003, Ron Shuck wrote:

> Hi All,
>
> I have been getting a lot of false positives on this SID if the connect
> terminates. What would be bad about adding a dsize value? Can't be an
> overflow if the payload isn't a least 500. I have added a "dsize: >499;"
> to my rule.
>
> Any thoughts?
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
> attempt"; flow:to_server,established; content:"HELO "; dsize: >499;
> offset:0; depth:5; content:!"|0a|"; within:500;
> reference:cve,CVE-2000-0042; reference:nessus,10324;
> classtype:attempted-admin; sid:1549; rev:9;)
>
>
> Thanks,
>
>
> Ron Shuck, CISSP, GCIA - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> http://www.buchanan.com
> http://www.isc2.org
> http://www.giac.org
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list