[Snort-sigs] Avoidance of 664.13 (SMTP RCPT TO decode attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 23:22:01 EDT 2004


Rule:  SMTP RCPT TO decode attempt

--
Sid: 664

--
False Negatives:
Current version of the rule incorrectly assumes specific SMTP command
capitalization. As a result, an attacker can easily get around the
signature.

See http://www.faqs.org/rfcs/rfc821.html


I am proposing to add "nocase" to the first content clause:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; 
content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; 
pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; 
reference:bugtraq,2308; reference:cve,1999-0203; 
classtype:attempted-admin; sid:664; rev:14;)




More information about the Snort-sigs mailing list