[Snort-sigs] false positives for sigs 2259 & 2260

Brian bmc at ...95...
Tue Dec 30 12:16:01 EST 2003


On Sun, Dec 21, 2003 at 09:24:20PM -0500, lpj0508 at ...366... wrote:
> i believe the above signatures are prone to trigger false positives.
> i've been getting this alerts since updating the rules last week.
> when i looked closely, i noticed the alerts were triggered because
> vrfy or expn (mixed upper and lower case) were found in the mail
> content.

This is in 2.1?

One of the things we don't handle yet (Yes, I know Mr Graham...) is
handling the DATA section of SMTP conversations.

These rules can cause false positives if they are inside the body of
an email and happen to start on the beginning of a line.  The regex
that verifies that EXPN or VRFY are at the beginning of a line should
help reduce false positives, but it will not remove then entirely.

-brian




More information about the Snort-sigs mailing list