[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Alec H. Peterson ahp at ...2480...
Thu May 13 06:49:01 EDT 2004


Perhaps we could make use of flowbits and take a peek at the startup banner 
to make sure it is in fact the IMAP server in question we are concerned 
about?

Alec

--On Thursday, May 13, 2004 9:23 AM -0400 Brian <bmc at ...95...> wrote:

> On Thu, May 13, 2004 at 05:25:00PM +1200, Russell Fulton wrote:
>> I was wondering if it would be worth parameterising these rules with a
>> $FTP_PATH_LEN and an IMAP_FOLDER_LEN which gets set along with all the
>> other configurable stuff in snort.conf?
>
> Nope, because it is specific to specific implementations of IMAP.
>
> I'd rather not use variables inside the rule body, as you will not be
> able to track the history of a rule appropriately if the detection
> capabilities are tied to something outside of the rule.
>
> Brian
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> !DSPAM:40a37c3b276351734171280!
>
>








More information about the Snort-sigs mailing list