[Snort-users] chameleon overflow

Brian Caswell bmc at ...312...
Fri Jun 8 18:41:12 EDT 2001


Paulie wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261
> - SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: >500;
> depth: 10;)
> 
> So basically it alarms on any inbound smtp packet big enough and with the
> ever so infrequent word HELP in it.

Well, Any SMTP packet big enough that is larger than 500 that includes
the word help in the first 10 characters of the packet.

Both arachnids and the snort.org rulesets have had this rule modified
for quite some time.  Upgrade your ruleset.

The current rule content/depth is content:"HELP "; depth:5;

That should help cut down on the false positives.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list