[Snort-sigs] SID 663, SMTP rcpt to sed command attempt

Brian bmc at ...95...
Mon Jul 14 13:23:11 EDT 2003


On Mon, Jul 14, 2003 at 12:45:06PM -0400, Matt Kettler wrote:
> At 11:17 AM 7/14/2003 -0400, Nigel Houghton wrote:
> >Could you both please elucidate on what the false positive condition is
> >exactly?
>
> Really snort needs a "before CR or LF byte" operator added to it's ruleset 
> to facilitate proper handling of SMTP rules. Anything else and you're just 
> taking guesses when pipelining occurs.

Once pcre is accepted, then you won't need that type of hack.  

-brian




More information about the Snort-sigs mailing list