[Snort-sigs] Avoidance of 2270.4 (SMTP RCPT TO sendmail prescan too long addresses overflow)

nnposter at ...592... nnposter at ...592...
Tue Jul 6 10:42:11 EDT 2004


Rule:  SMTP RCPT TO sendmail prescan too long addresses overflow

--
Sid: 2270

--
False Negatives:
Current version of the rule incorrectly assumes specific spacing.
As a result, an attacker can easily get around the signature.

See http://www.faqs.org/rfcs/rfc821.html


I am proposing to follow colon with \s* instead of \s+ in PCRE:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
(msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; 
flow:to_server,established; content:"RCPT TO|3A|"; nocase; 
pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; 
reference:bugtraq,7230; reference:cve,2003-0161; 
classtype:attempted-admin; sid:2270; rev:5;)




More information about the Snort-sigs mailing list