[Snort-sigs] False positives for rule 1792

Mark Carrington mark.carrington at ...2935...
Fri Dec 17 01:59:01 EST 2004

Rule 1792 blocks any line sent from an NNTP server that starts with "200"
and contains over 64 other characters, the idea being to block response
codes with overly long descriptions that could overflow a buffer.

The problem is that the server can return article data that also matches
this format and is not related to the buffer overflow problem the rule is
designed to prevent.

When retrieving lists of messages using the XHDR or XOVER commands, data for
a message is sent prefixed with the index of the message in the current
group. For example:

XOVER 199-201
224 overview follows
199	<data for article 199>...
200	<data for article 200>...	<-- snort blocks this line
201	<data for article 201>...

Can this rule be modified to remove these false positives? I'm afraid I'm
not a snort expert, so I'll have to leave it to others to figure out how...

Mark Carrington
mark.carrington at ...2935...


MPNews - host your own newsgroups and access them via the web!

More information about the Snort-sigs mailing list