[Snort-sigs] SID 13923 - Bad Rule

evilghost at ...3397... evilghost at ...3397...
Tue Apr 6 14:53:44 EDT 2010


Hello, SID 13923 seems to generate quite a lot of false positives.  
Looking at the rule, did you really mean it this way?

content:"HELO "; content:!"|00|"; within:2

This fires on every SMTP HELO since the syntax is "HELO 
fqdn.hostname.com".  I would imagine any RFC compliant SMTP connection 
with "HELO" would cause this signature to fire.  I would expect to not 
find a null character after the SMTP "HELO" verb within three bytes of 
the previous content match (taking into account the 0x20 after the HELO 
verb).

Can this be addressed?  As-is it appears this signature isn't specific 
to CVE 2006-3277 at all.

Not to be an jerk but this really is a horrid rule, how did it make it 
into this VRT release?  It was modified in this VRT release.

Thanks,
-evilghost







More information about the Snort-sigs mailing list