[Snort-sigs] SID 663, SMTP rcpt to sed command attempt

Matt Kettler mkettler at ...1208...
Mon Jul 14 09:46:13 EDT 2003

At 11:17 AM 7/14/2003 -0400, Nigel Houghton wrote:
>Could you both please elucidate on what the false positive condition is

I can enlighten you a bit further about the false postive, and nathan about 
the signature.

First, nathan (and the original rule writer) appears to have "distance" 
confused with "within".. The distance:0 operator does not require the 
strings to be adjacent.. it requires them to be AT LEAST 0 bytes apart, but 
has no restriction for how far apart they can be.

As for the false positive case, this is a very common problem in SMTP rules 
when faced with pipelining.

Modern SMTP allows pipelining. The RCPT command can be issued in the same 
TCP segment as the DATA command, without an intermediate OK from the 
server. Here the rule found a | and a "sed" string in the body of the 
message (part of the DATA) and matched them.

Unfortunately pipelining makes it difficult to write proper rules that 
examine the RCPT command without picking up parts of the start of the DATA 
section using the current snort commands.

This rule needs a "within" operator added to keep it from picking up the 
body text, but that's a hack-fix.

Really snort needs a "before CR or LF byte" operator added to it's ruleset 
to facilitate proper handling of SMTP rules. Anything else and you're just 
taking guesses when pipelining occurs.

pipelined SMTP is a "end of line" oriented protocol, not "end of packet" or 
"whenever the server acknowledges" so the flushing behaviors of stream4 
aren't sufficient to properly handle breaking the data up.

More information about the Snort-sigs mailing list