[Snort-sigs] False positive on rule 10995

Pieter pieter at ...3322...
Wed Oct 17 09:20:05 EDT 2007


Hi,

I noticed a number of people already posted on false positives for this rule
10995 ( SMTP possible BDAT DOS attempt). 
Alex Kirk,Research Analyst Sourcefire, Inc., already presented a possible
solution (see below)  and renamed the revision of the rule to rev3 on
7/6/2007.

However today the old rule with revision 1 is still in the default snort
ruleset. Is there any (securily) reason why this change is not included in
the default snort ruleset?

Kind regards
Pieter


>From Alex Kirk on 7/6/2007 in this snort mailing list : 

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT
DoS attempt"; flow:to_server,established; content:"BDAT"; nocase;
pcre:"/^BDAT/smi"; byte_jump:2,1,relative,string,dec; content:!"|0D
0A|"; within:2; metadata:service smtp; reference:bugtraq,4204;
reference:cve,2002-0055;
reference:url,www.microsoft.com/technet/security/bulletin/ms02-012.mspx;
classtype:denial-of-service; sid:10995; rev:3;)


--
NEW on aXs GUARD: SSL VPN !! (contact your reseller for more info)

---------------------------------------------------
aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen





More information about the Snort-sigs mailing list