[Snort-sigs] false positive in sid 567

Federico Castañeda F_CASTANEDA at ...2024...
Thu Apr 15 06:54:04 EDT 2004


Hi,

False positive found.

----------------------------------------------------------------------------
------------
Rule:  POLICY SMTP relaying denied 
--
Sid: 567
--
False Positives: A false positive was detected in Sendmail when subject text
is rejected. Sample payload below.

550 5.7.1 "-Fast.ac,ting.P`E^N`IS.EN_lar'ge_ment.pill;zkgosmcyvj"...Subject
text rejected..
----------------------------------------------------------------------------
-----------
Two suggested solutions are:

Modify the rule like this

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying
denied"; flow:established,from_server; content: "550 5.7.1"; depth:70;
content: ! "Subject text rejected";
reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
classtype:misc-activity; sid:567; rev:9;) 


or Add another rule before sid 567 to detect Subject rejection:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP subject
text rejected"; flow:established,from_server; content: "550 5.7.1";
depth:70; content: "Subject text rejected"; classtype:misc-activity;
sid:1000000; rev:1;) 


Best regards, 

Federico.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040415/6366094e/attachment.html>


More information about the Snort-sigs mailing list