[Snort-users] False positives
osk at ...3916...
Tue Oct 30 06:12:04 EST 2001
I'm trying to reduce the number of false positives I'm getting.
One of the "over sensitive" rule is this one:
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content: "rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)
which alarms every time there is a packet containing "rcpt to:"
and the packet payload is more than 800 bytes. Which is not necessarily
the length of recipients list to "rcpt to:".
[fire-proof overalls on]
Having a kind of limited regular expressions or wild-cards and a way
to reference the size of the matched string would be, at least in this
case, useful. Like `content: "rcpt to|3a|*|0d 0a|"; msize:>800'
I don't have enough experience with snort to estimate how
useful could it be to help detect other buffer overflows.
Just wanted to share my thoughts.
More information about the Snort-users