[Snort-sigs] SMTP rcpt to sed command attempt

Tony Lill ajlill at ...1531...
Sat May 24 20:58:02 EDT 2003

This sig triggers too may false positives.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)

As written, this rule will trigger on any mail message that contains
an | followed by "sed " anywhere in the message. I take it that
distance:0 is meant to order the strings. Perhaps you should add some
within clauses to reign it in.
Tony Lill,                         Tony.Lill at ...1532...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

More information about the Snort-sigs mailing list