[Snort-sigs] SID 13923 - Bad Rule

evilghost at ...3397... evilghost at ...3397...
Tue Apr 6 15:10:15 EDT 2010


Oh yeah, this one is policy security-ips drop so you may want to 
escalate priority.  I don't think SMTP is that nefarious, SF you might 
have some appliance IPS impacted customers...

-evilghost

evilghost at ...3397... wrote:
> Hello, SID 13923 seems to generate quite a lot of false positives.  
> Looking at the rule, did you really mean it this way?
>
> content:"HELO "; content:!"|00|"; within:2
>
> This fires on every SMTP HELO since the syntax is "HELO 
> fqdn.hostname.com".  I would imagine any RFC compliant SMTP connection 
> with "HELO" would cause this signature to fire.  I would expect to not 
> find a null character after the SMTP "HELO" verb within three bytes of 
> the previous content match (taking into account the 0x20 after the HELO 
> verb).
>
> Can this be addressed?  As-is it appears this signature isn't specific 
> to CVE 2006-3277 at all.
>
> Not to be an jerk but this really is a horrid rule, how did it make it 
> into this VRT release?  It was modified in this VRT release.
>
> Thanks,
> -evilghost
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>   




More information about the Snort-sigs mailing list