[Snort-sigs] Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:07:12 EDT 2004


Rule:  SMTP Content-Transfer-Encoding overflow attempt

--
Sid: 2183

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes specific MIME header
capitalization. As a result, an attacker can easily get around the
signature.

See http://www.faqs.org/rfcs/rfc2045.html
See http://www.faqs.org/rfcs/rfc822.html
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to add "nocase" to the main content clause:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"SMTP Content-Transfer-Encoding overflow attempt"; 
flow:to_server,established; 
content:"Content-Transfer-Encoding|3A|"; nocase;
isdataat:100,relative; content:!"|0A|"; within:100; 
reference:cve,2003-0161; 
reference:url,www.cert.org/advisories/CA-2003-12.html; 
classtype:attempted-admin; sid:2183; rev:6;)




More information about the Snort-sigs mailing list