[Snort-sigs] SMTP ETRN overflow attempt
NO JUNK MAIL
no_junk-mail at ...342...
Wed May 7 07:37:15 EDT 2003
I'm trying to modify this signature because it is being trigering "SMTP ETRN" alert when encrypted email come in that have "etrn" in them. Going throught the sessions, and raw packets, you can find "etrn" in the encryption algarithum that was generated. I'd like to narrow it up if possible. Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;)
T D A S 5 10 25 SMTP:ETRN etrn/0d
They both only look for "etrn" and a carrige return. I'd like it a little longer
Sign-up for your own FREE Personalized E-mail at Mail.com
More information about the Snort-sigs