[Snort-sigs] Bug in 654.13 (SMTP RCPT TO overflow)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 23:10:01 EDT 2004

Rule:  SMTP RCPT TO overflow

Sid: 654

False Negatives:
Current version of the rule is completely broken due to missing
colon in PCRE. A corrected version follows:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"SMTP RCPT TO overflow"; flow:to_server,established; 
content:"rcpt to|3A|"; nocase; isdataat:300,relative; 
pcre:"/^RCPT TO\x3a[^\n]{301}/ism";  reference:bugtraq,2283; 
reference:bugtraq,9696; reference:cve,2001-0260; 
classtype:attempted-admin; sid:654; rev:14;)

More information about the Snort-sigs mailing list