[Snort-sigs] Avoidance of 2183.5 (SMTP Content-Transfer-Encoding overflow attempt)

Brian bmc at ...95...
Tue Jul 6 08:02:12 EDT 2004


On Fri, Jul 02, 2004 at 06:00:00PM -0600, nnposter at ...592... wrote:
> I am proposing to add "nocase" to the main content clause:
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
> (msg:"SMTP Content-Transfer-Encoding overflow attempt"; 
> flow:to_server,established; 
> content:"Content-Transfer-Encoding|3A|"; nocase;
> isdataat:100,relative; content:!"|0A|"; within:100; 
> reference:cve,2003-0161; 
> reference:url,www.cert.org/advisories/CA-2003-12.html; 
> classtype:attempted-admin; sid:2183; rev:6;)

yep




More information about the Snort-sigs mailing list