[Snort-sigs] SID 663, SMTP rcpt to sed command attempt
mkettler at ...1208...
Mon Jul 14 09:46:13 EDT 2003
At 11:17 AM 7/14/2003 -0400, Nigel Houghton wrote:
>Could you both please elucidate on what the false positive condition is
I can enlighten you a bit further about the false postive, and nathan about
First, nathan (and the original rule writer) appears to have "distance"
confused with "within".. The distance:0 operator does not require the
strings to be adjacent.. it requires them to be AT LEAST 0 bytes apart, but
has no restriction for how far apart they can be.
As for the false positive case, this is a very common problem in SMTP rules
when faced with pipelining.
Modern SMTP allows pipelining. The RCPT command can be issued in the same
TCP segment as the DATA command, without an intermediate OK from the
server. Here the rule found a | and a "sed" string in the body of the
message (part of the DATA) and matched them.
Unfortunately pipelining makes it difficult to write proper rules that
examine the RCPT command without picking up parts of the start of the DATA
section using the current snort commands.
This rule needs a "within" operator added to keep it from picking up the
body text, but that's a hack-fix.
Really snort needs a "before CR or LF byte" operator added to it's ruleset
to facilitate proper handling of SMTP rules. Anything else and you're just
taking guesses when pipelining occurs.
pipelined SMTP is a "end of line" oriented protocol, not "end of packet" or
"whenever the server acknowledges" so the flushing behaviors of stream4
aren't sufficient to properly handle breaking the data up.
More information about the Snort-sigs