[Snort-sigs] false positive for sid 2087

Chris Kronberg smil at ...1754...
Tue Aug 3 08:16:11 EDT 2004


   Hi,


   Currently the rule looks like:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment 
overflow attempt"; flow:to_server,established; content:"From|3A|"; 
nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; 
content:"|28|"; distance:1; content:"|29|"; distance:1; reference:cve,2002-1337; 
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; 
sid:2087; rev:6;)

   This triggers mails like the one included below which has nothing to
   do with the sendmail vulnerability.
   I understand that the distance keyword gives a relative offset to
   the last match, but then I do not understand what distance:0 does.
   As the vulnerabilty goes for oversized comments in the MAIL FROM
   and RCPT TO header, is there a possibility to rewrite the rule in
   the sense that it triggers wenn the content match above does _not_
   occur before the smtp DATA command?
   I'm currently playing with the within keyowrd to restrict the
   search depth, but I don't feel comfortable with that. Any better
   ideas? I'm interested for solutions for snort 2.0.x and 2.1.x.

   Cheers,


                                                     Chris Kronberg.

Example mail (I just included that as body to a mail):

---------- Forwarded message ----------
Date: Tue, 3 Aug 2004 15:57:55 +0200 (CEST)
From: Christine Kronberg <xxx at ...2678...>
To: smil at ...1754...
Subject: Re: test1


EHLO xxxxxx.xxxxxxxxxx.de

MAIL FROM:<xxxxxxx at ...2679...> SIZE=5421

RCPT TO:<xxxxx_xxxxxx at ...2680...>

DATA

Received: from [aaa.bbb.ccc.ddd] (helo=xxxxxxxxx.xxxxxxxxxxxx.de)

by xxxxxxxxx.xxxxxxxxxxxx.de with esmtp (Exim 3.35 #1)

id 1BramQ-00081x-00

for xxxxx_xxxxxx at ...2680...; Mon, 02 Aug 2004 13:14:58 +0200

Received: from [eee.fff.ggg.hhh] (helo=xxxxxxx.xxxxxxx-xxxxxx.com)

by xxxxxxxxx.xxxxxxxxxxxx.de with asmtp (Exim 3.35 #1)

id 1BramQ-0008NC-00

for xxxxx_xxxxxx at ...2680...; Mon, 02 Aug 2004 13:14:58 +0200

Received: from xxxxxx.xxxxxxx-xxxxxx.com ([xxx.aaa.ddd.fff])

by xxxxxxxxxx.xxxxxxx-xxxxxx.com with ESMTP id i72BEs3U012334

for <xxxxx_xxxxxx at ...2680...>; Mon, 2 Aug 2004 13:14:54 +0200

content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----_=_NextPart_001_01C47881.EA46DE26"

Subject: AW: Antwort: AW: Antwort: AW: Antwort: AW: Antwort: AW:

X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1

Date: Mon, 2 Aug 2004 13:14:44 +0200

Message-ID:
<E02F157BADC7FD42A2159F38DC72E46547B0A9 at ...2681...>

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

Thread-Topic: Antwort: AW: Antwort: AW: Antwort: AW: Antwort: AW:

Thread-Index: AcR4gU1P2AHKBBteQzCSwOzphfqudgAAHujA

From: "XXXXXXX, xxxxxxxx" <xxxxxxx at ...2682...>

To: <xxxxx_xxxxxx at ...2680...>

X-Virus-Scanned: by amavisd-new

X-Spam-Status: No, hits=0.0 required=10.0

tests=none

version=2.51

X-Spam-Checker-Version: SpamAssassin 2.51 (1.174.2.5-2003-03-20-exp)

This is a multi-part message in MIME format.

------_=_NextPart_001_01C47881.EA46DE26

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

xxxx  xxxxx xxxxx xxxxx xxxxxxxx xxxx xx xx xxxxxxx xxxxxx xxxxx

xxxxxxxxxxxx xxxxx xxx xxxxxxx xxxxxx xxxx xxx xxxx xxx xxxxxxx =

xxxxxxxxxxxx xxx

xxx xxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxx

xxx xxxxxxx xxxxxxx

+++++++++++++++++++++++++++++++++++

xxxxxxxx xxx xxx xx xxxxxxx xxxxxxx xxxxxx:

http://www.xxxxxxx-xxxxxx.com

+++++++++++++++++++++++++++++++++++

<><><><><><><><><><><><><><><><><><><><><><><><><><><><>

xxxxxxxxx x xxxxx xxxx  xxxxxxxxxxxxxxxxx x xxxxxx xxxxxxxx

xxxxxxx xxxxx

-xxxxxx xxxxxx xxx(xxxxxx/xxxx)

Tel.: +xx(0)xxxx/xxxx-xxx, Fax: +xx(0)xxxx/xxxx-xxxx

E-Mail: xxxxxx at ...2682...

<><><><><><><><><><><><><><><><><><><><><><><><><><><><>





More information about the Snort-sigs mailing list