[Snort-sigs] Need help with rule - [124:7:1] smtp: Attempted header name buffer overflow

Irish Settingg irishsetting at ...2420...
Tue Feb 3 14:54:34 EST 2015


I basically wanted to know, this being a protocol based signature....what
in the protocol triggers this....can an email have a header size of more
than 64 bytes in normal circumstances. If yes this signature may be
suppressed.

Also can we make any change in a preprocessor rule to fit our environment

On 3 February 2015 at 19:06, Jason Wallace <jason.r.wallace at ...2420...>
wrote:

> Take a look at the reference. CVE-2004-0105 is related to Metamail version
> 2.7. If you are not using Metamail, or if the version is greater than 2.7
> then you don't need to enable this rule.
>
> On Mon, Feb 2, 2015 at 5:24 PM, Irish Settingg <irishsetting at ...2420...>
> wrote:
>
>> We have SNORT IDS in our environment and we are receiving a lot of such
>> alerts -
>>
>> [124:7:1] smtp: Attempted header name buffer overflow [Classification:
>> Attempted Administrator Privilege Gain] [Priority: 1] {TCP} Internal
>> IP:46125 -> Internal SMTP Server:25
>>
>>
>> Rule - [image: Inline images 2]
>>
>>
>> What is this rule actually looking for and what does the preprocessor
>> rule do here.....
>>
>>
>> Do We get false positives due to this....
>>
>> For the Signature above one forum suggested that if the email headers are
>> more than 64 characters - the alert gets triggered. I know that this rule
>> is not a REGEX based rule but how  does it check in the traffic if the
>> header is not normal. Basically I want to know if this rule is of any use
>> or not.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150204/d9fdd998/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.JPG
Type: image/jpeg
Size: 18033 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150204/d9fdd998/attachment.jpe>


More information about the Snort-sigs mailing list