[Snort-sigs] Bug in 654.13 (SMTP RCPT TO overflow)

Brian bmc at ...95...
Tue Jul 6 08:06:20 EDT 2004


On Fri, Jul 02, 2004 at 11:59:00PM -0600, nnposter at ...592... wrote:
> Current version of the rule is completely broken due to missing
> colon in PCRE. A corrected version follows:
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
> (msg:"SMTP RCPT TO overflow"; flow:to_server,established; 
> content:"rcpt to|3A|"; nocase; isdataat:300,relative; 
> pcre:"/^RCPT TO\x3a[^\n]{301}/ism";  reference:bugtraq,2283; 
> reference:bugtraq,9696; reference:cve,2001-0260; 
> classtype:attempted-admin; sid:654; rev:14;)

yep, got




More information about the Snort-sigs mailing list