[Snort-sigs] SID 663, SMTP rcpt to sed command attempt

Nathan Bain nebain at ...1671...
Sun Jul 13 14:02:10 EDT 2003


Hello,

The documentation for SID 663, SMTP rcpt to sed command attempt, says
there are no known false positives.  However, Snort has given me several
apparent false positives.

The following payload sent to my SMTP server triggered the alert
(signature included below):

...
060 : 6F 6D 40 73 65 63 75 72 69 74 79 66 6F 63 75 73   om at ...738...
070 : 2E 63 6F 6D 3E 20 53 49 5A 45 3D 35 34 38 38 0D   .com> SIZE=5488.
080 : 0A 52 43 50 54 20 54 4F 3A 3C 73 65 63 75 72 69   .RCPT TO:<securi
090 : 74 79 40 6E 65 62 32 2E 67 6F 74 64 6E 73 2E 63   ty at ...1672...
0a0 : 6F 6D 3E 0D 0A 44 41 54 41 0D 0A 52 65 63 65 69   om>..DATA..Recei
...
540 : 2D 41 44 4D 49 4E 2F 53 59 4D 41 4E 54 45 43 28   -ADMIN/SYMANTEC(
550 : 52 65 6C 65 61 73 65 20 35 2E 30 2E 31 31 0D 0A   Release 5.0.11..
560 : 20 20 7C 4A 75 6C 79 20 32 34 2C 20 32 30 30 32     |July 24, 2002
570 : 29 20 61 74 20 30 37 2F 30 37 2F 32 30 30 33 20   ) at 07/07/2003
580 : 30 34 3A 34 30 3A 34 35 20 50 4D 0D 0A 4D 49 4D   04:40:45 PM..MIM
590 : 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D 0A   E-Version: 1.0..
5a0 : 43 6F 6E 74 65 6E 74 2D 74 79 70 65 3A 20 74 65   Content-type: te
5b0 : 78 74 2F 70 6C 61 69 6E 3B 20 63 68 61 72 73 65   xt/plain; charse
5c0 : 74 3D 75 73 2D 61 73 63 69 69 0D 0A 0D 0A 48 65   t=us-ascii....He
5d0 : 6C 6C 6F 20 45 76 65 72 79 6F 6E 65 2C 0D 0A 0D   llo Everyone,...
5e0 : 0A 49 20 61 6D 20 70 6C 65 61 73 65 64 20 74 6F   .I am pleased to
5f0 : 20 61 6E 6E 6F 75 6E 63 65 20 74 68 65 20 72 65    announce the re
600 : 6C 65 61 73 65 20 6F 66 20 76 65 72 73 69 6F 6E   lease of version
...

Signature:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed
command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase;
content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1;
reference:arachnids,172; reference:cve,CVE-1999-0095;
classtype:attempted-admin; sid:663; rev:6;)

Note that the "rcpt to\:" starts at byte 081, the "\|" occurs at byte 562,
and the "sed " starts at byte 5ea.

Doesn't the "distance:0" option mean that the content blocks should be
immediately next to each other?  It seems that my version of snort
(2.0.0) interprets this option to mean there should be any amount of
distance between the content blocks, triggering obvious false alerts.  Is
this a bug in Snort (in which case I will forward it on to the appropriate
mailing list) or a problem with the rule and my understanding of the
distance operator?

Nathan Bain





More information about the Snort-sigs mailing list