[Snort-sigs] Possible false positive on SID 663

McKinlay, Ken ken.mckinlay at ...1535...
Tue May 27 06:36:26 EDT 2003


I think I am running into a false positive situation with SID 664, revision
6 (SMTP rcpt to sed command attempt) under Snort 2.0 running on RedHat 8. 

The rule, as I understand it, is supposed to trigger when a pipe symbol is
followed by a "sed " but, that is not the case when I examine the packets.
The packet that tripped the alert does have a pipe symbol but no where near
the "sed ". In fact the sed is at the end of the word "increased ", about
1900 bytes from the pipe symbol.

The rule for me is not critical and I have disabled it since the version of
sendmail I am running supposedly is not vulnerable. But I do think it should
be corrected or placed on the obsolete list (according to Bugtraq it was
used by the Morris worm with an "old" version of sendmail). Unfortunately I
am not even close to competent in rule writing to correct this rule, can any
one help me out? 

Ken McKinlay, GCIA
Network Security, Dy 4 Systems
ken.mckinlay at ...1535... 

More information about the Snort-sigs mailing list