[Snort-sigs] Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow

Jason Wallace jason.r.wallace at ...2420...
Tue Feb 3 08:36:46 EST 2015


Take a look at the reference. CVE-2004-0105 is related to Metamail version
2.7. If you are not using Metamail, or if the version is greater than 2.7
then you don't need to enable this rule.

On Mon, Feb 2, 2015 at 5:24 PM, Irish Settingg <irishsetting at ...2420...>
wrote:

> We have SNORT IDS in our environment and we are receiving a lot of such
> alerts -
>
> [124:7:1] smtp: Attempted header name buffer overflow [Classification:
> Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal
> IP:46125 -> Internal SMTP Server:25
>
>
> Rule - [image: Inline images 2]
>
>
> What is this rule actually looking for and what does the preprocessor rule
> do here.....
>
>
> Do We get false positives due to this....
>
> For the Signature above one forum suggested that if the email headers are
> more than 64 characters - the alert gets triggered. I know that this rule
> is not a REGEX based rule but how  does it check in the traffic if the
> header is not normal. Basically I want to know if this rule is of any use
> or not.
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150203/58a9a349/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.JPG
Type: image/jpeg
Size: 18033 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150203/58a9a349/attachment.jpe>


More information about the Snort-sigs mailing list