[Snort-sigs] SID: 8440

Paul Schmehl pauls at ...1311...
Tue Apr 24 13:23:38 EDT 2007


--On Tuesday, April 24, 2007 18:30:48 +0200 Patrik Israelsson 
<patrik.israelsson at ...1288...> wrote:

> On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
> [...]
>> I'm trying to understand *why* what appear to be legitimate users
>> checking email is tripping this alert.  Is it badly configured clients?
>> Unpatched clients?  Badly designed clients that ignore the protocol?
>>
>> The bottom line is, why are our users' email clients routinely trying to
>> overflow a buffer?
>
> For what it's worth, I've deactivated this sig since long since it was
> giving  way too many false positives. We run NIDS services for a whole
> bunch of  companies and this sig has triggered massively on our sensors
> in pretty much  every network we've connected them to. So I'm fairly
> confident that what  you're seeing is not clients trying to exploit a
> vulnerability, rather they  are just going about their usual business and
> this Snort sig is interpreting  it incorrectly.
>
The sig is doing precisely what it's supposed to be doing.  The question 
is, is what it's being asked to do correct?  And if so, why are clients 
routinely trying to overflow a buffer?  Is it a massive misinterpretation 
of the protocol?  Is the sig written incorrectly?

I'm hesitant to disable alerts simply because they're noisy.  I prefer to 
know why they're noisy and correct the problem.

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070424/0de5a330/attachment.bin>


More information about the Snort-sigs mailing list