[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Brian bmc at ...95...
Thu May 13 08:56:04 EDT 2004

On Thu, May 13, 2004 at 07:48:01AM -0600, Alec H. Peterson wrote:
> On Thursday, May 13, 2004 9:23 AM -0400 Brian <bmc at ...95...> wrote:
> >On Thu, May 13, 2004 at 05:25:00PM +1200, Russell Fulton wrote:
> > > I was wondering if it would be worth parameterising these rules with a
> > > $FTP_PATH_LEN and an IMAP_FOLDER_LEN which gets set along with all the
> > > other configurable stuff in snort.conf?
> >
> > Nope, because it is specific to specific implementations of IMAP.
> >
> > I'd rather not use variables inside the rule body, as you will not
> > be able to track the history of a rule appropriately if the
> > detection capabilities are tied to something outside of the rule.
> Perhaps we could make use of flowbits and take a peek at the startup
> banner to make sure it is in fact the IMAP server in question we are
> concerned about?

Banners become a nightmare to maintain.  I'd rather not do that if we
can avoid it.  

If your mail server allows different folder depths, modify those
specific rules.


More information about the Snort-sigs mailing list