[Snort-sigs] SID: 8440
patrik.israelsson at ...1288...
Tue Apr 24 12:30:48 EDT 2007
On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
> I'm trying to understand *why* what appear to be legitimate users checking
> email is tripping this alert. Is it badly configured clients? Unpatched
> clients? Badly designed clients that ignore the protocol?
> The bottom line is, why are our users' email clients routinely trying to
> overflow a buffer?
For what it's worth, I've deactivated this sig since long since it was giving
way too many false positives. We run NIDS services for a whole bunch of
companies and this sig has triggered massively on our sensors in pretty much
every network we've connected them to. So I'm fairly confident that what
you're seeing is not clients trying to exploit a vulnerability, rather they
are just going about their usual business and this Snort sig is interpreting
More information about the Snort-sigs