[Snort-sigs] Avoidance of 663.13 (SMTP rcpt to command attempt)

nnposter at ...592... nnposter at ...592...
Tue Jul 6 10:42:03 EDT 2004

Rule:  SMTP rcpt to command attempt

Sid: 663

False Negatives:
Current version of the rule incorrectly assumes specific spacing.
As a result, an attacker can easily get around the signature.

See http://www.faqs.org/rfcs/rfc821.html

I am proposing to follow colon with \s* instead of \s+ in PCRE
(and replace \s+ with " " between RCPT and TO):

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"SMTP rcpt to command attempt"; 
content:"RCPT TO|3A|"; nocase; 
pcre:"/^RCPT TO\x3a\s*[|\x3b]/smi"; 
reference:arachnids,172; reference:bugtraq,1; 
classtype:attempted-admin; sid:663; rev:14;) 

More information about the Snort-sigs mailing list