[Snort-sigs] Question about rule 1549

Federico Petronio petrus at ...2312...
Fri Mar 12 07:34:03 EST 2004


I was looking in detail at snort logs and I can not realize why this
rule is matching.

The rule is:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt"; flow:to_server,established; content:"HELO";
isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi";
reference:bugtraq,895; reference:cve,CVE-2000-0042;
reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674;
classtype:attempted-admin; sid:1549; rev:13;)


And the packet that matched is:

[**] drop SMTP HELO overflow attempt [**]
03/11-08:39:15.581070 200.31.147.12:4805 -> 10.2.0.10:25
TCP TTL:112 TOS:0x0 ID:47993 IpLen:20 DgmLen:73 DF
***AP*** Seq: 0x6E8D1FEC  Ack: 0x6B4AF7C7  Win: 0xFD3C  TcpLen: 20
48 45 4C 4F 20 57 4C 4C 2D 33 33 2D 70 70 70 6F  HELO WLL-33-pppo
65 30 31 32 2E 74 2D 6E 65 74 2E 6E 65 74 2E 76  e012.t-net.net.v
65                                               e


but I am not sure why since the "{500}" restriction could not match ever
because the packet is shorter than that.

Maybe you could help me understand this.

Thank you very much.
-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list