[Snort-sigs] Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow

Irish Settingg irishsetting at ...2420...
Mon Feb 2 17:24:10 EST 2015

We have SNORT IDS in our environment and we are receiving a lot of such
alerts -

[124:7:1] smtp: Attempted header name buffer overflow [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal
IP:46125 -> Internal SMTP Server:25

Rule - [image: Inline images 2]

What is this rule actually looking for and what does the preprocessor rule
do here.....

Do We get false positives due to this....

For the Signature above one forum suggested that if the email headers are
more than 64 characters - the alert gets triggered. I know that this rule
is not a REGEX based rule but how  does it check in the traffic if the
header is not normal. Basically I want to know if this rule is of any use
or not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150203/f1f5e4a6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.JPG
Type: image/jpeg
Size: 18033 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150203/f1f5e4a6/attachment.jpe>

More information about the Snort-sigs mailing list