[Snort-sigs] False Positive on SMTP HELO Overflow

Jason Haar Jason.Haar at ...651...
Wed Apr 30 14:06:04 EDT 2003


On Tue, Apr 29, 2003 at 02:20:05PM -0500, Matthew Callaway wrote:
> Here is a new version of this signature that works correctly:
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO
> overflow attempt"; flow:to_server,established; content:"HELO ";
> offset:0; depth:5; content:!"|0a|"; within:500; content: "?"; offset:
> 499; regex; reference:cve,CVE-2000-0042; reference:nessus,10324;
> classtype:attempted-admin; sid:1549; rev:10;)
> 
> ie: "HELO " from byte 0 to 5, but no LF within 500 bytes, and at least
> one char at 500 bytes.
> 

Yeah  - the "at least one char at 500 bytes" is needed as I'm currently
getting tonnes of FPs on some spammer SMTP server sending "HELO \r\n" - i.e.
no name string. Looking for any other other char would stop that FP.

..but I still don't think regex is ready in 2.0??

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list