[Snort-sigs] False positive on rule 10995

Pieter pieter at ...3322...
Wed Oct 17 09:20:05 EDT 2007


I noticed a number of people already posted on false positives for this rule
10995 ( SMTP possible BDAT DOS attempt). 
Alex Kirk,Research Analyst Sourcefire, Inc., already presented a possible
solution (see below)  and renamed the revision of the rule to rev3 on

However today the old rule with revision 1 is still in the default snort
ruleset. Is there any (securily) reason why this change is not included in
the default snort ruleset?

Kind regards

>From Alex Kirk on 7/6/2007 in this snort mailing list : 

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT
DoS attempt"; flow:to_server,established; content:"BDAT"; nocase;
pcre:"/^BDAT/smi"; byte_jump:2,1,relative,string,dec; content:!"|0D
0A|"; within:2; metadata:service smtp; reference:bugtraq,4204;
classtype:denial-of-service; sid:10995; rev:3;)

NEW on aXs GUARD: SSL VPN !! (contact your reseller for more info)

aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
Able NV: ond.nr 0457.938.087
RPR Mechelen

More information about the Snort-sigs mailing list