[Snort-sigs] SMTP ETRN overflow attempt

NO JUNK MAIL no_junk-mail at ...342...
Wed May 7 07:37:15 EDT 2003


I'm trying to modify this signature because it is being trigering "SMTP ETRN" alert when encrypted email come in that have "etrn" in them.   Going throught the sessions, and raw packets, you can find "etrn" in the encryption algarithum that was generated.  I'd like to narrow it up if possible.  Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack.  

Snort Signature;

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;) 

Dragon Signature;

T D A S 5 10 25 SMTP:ETRN etrn/0d

They both only look for "etrn" and a carrige return.  I'd like it a little longer



Sign-up for your own FREE Personalized E-mail at Mail.com

More information about the Snort-sigs mailing list