[Snort-sigs] SID: 8440
pauls at ...1311...
Tue Apr 24 13:23:38 EDT 2007
--On Tuesday, April 24, 2007 18:30:48 +0200 Patrik Israelsson
<patrik.israelsson at ...1288...> wrote:
> On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
>> I'm trying to understand *why* what appear to be legitimate users
>> checking email is tripping this alert. Is it badly configured clients?
>> Unpatched clients? Badly designed clients that ignore the protocol?
>> The bottom line is, why are our users' email clients routinely trying to
>> overflow a buffer?
> For what it's worth, I've deactivated this sig since long since it was
> giving way too many false positives. We run NIDS services for a whole
> bunch of companies and this sig has triggered massively on our sensors
> in pretty much every network we've connected them to. So I'm fairly
> confident that what you're seeing is not clients trying to exploit a
> vulnerability, rather they are just going about their usual business and
> this Snort sig is interpreting it incorrectly.
The sig is doing precisely what it's supposed to be doing. The question
is, is what it's being asked to do correct? And if so, why are clients
routinely trying to overflow a buffer? Is it a massive misinterpretation
of the protocol? Is the sig written incorrectly?
I'm hesitant to disable alerts simply because they're noisy. I prefer to
know why they're noisy and correct the problem.
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 3701 bytes
Desc: not available
More information about the Snort-sigs