[Snort-users] chameleon overflow

Paulie paulie at ...2160...
Fri Jun 8 18:05:52 EDT 2001


Matt,

I get losta fals positives on this rule...I have been meaning to disable
it.

Heres the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261
- SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: >500;
depth: 10;)

So basically it alarms on any inbound smtp packet big enough and with the
ever so infrequent word HELP in it.

Unless you are running the Chameleon STMP server its prolly not useful
anyways.

Paul


On Fri, 8 Jun 2001, Matt Hand wrote:

>
>   I was checking through yesterday's logs and ran across a SMTP chameleon overflow, which is unusual for us. The logs are from a machine running DNS and acting as our mail server.
>
>   The arachNIDs database says its unlikely the ip address was spoofed so I checked and it belongs to cheetahmail.com. Has anyone experienced anything similar and, if so, what did you do about it?
>
>   In any case, here are the relevant lines from the log file:
>
> <snip>
> Jun  7 16:27:05 chia snort: SMTP chameleon overflow: 206.132.30.40:41226 -> 207.252.45.6:25
> Jun  7 16:27:05 chia named[517]: "optonline.net IN MX" points to a CNAME (mail-relay.optonline.net)
> Jun  7 16:27:05 chia named[517]: "optonline.net IN MX" points to a CNAME (mail-hub.optonline.net)
> </snip>
>
>   Thanks for the help.
>
> Matt Hand
> matt at ...1740...
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list