[Snort-users] False positives

Chris Osicki osk at ...3916...
Tue Oct 30 06:12:04 EST 2001


Hi,

I'm trying to reduce the number of false positives I'm getting.
One of the "over sensitive" rule is this one:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; 
flags:A+; content: "rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; 
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

which alarms every time there is a packet containing "rcpt to:"
and the packet payload is more than 800 bytes. Which is not necessarily
the length of recipients list to "rcpt to:".

[fire-proof overalls on]
Having a kind of limited regular expressions or wild-cards and a way
to reference the size of the matched string would be, at least in this 
case, useful. Like  `content: "rcpt to|3a|*|0d 0a|"; msize:>800'
I don't have enough experience with snort to estimate how 
useful could it be to help detect other buffer overflows.
Just wanted to share my thoughts.

Regards,
Chris





More information about the Snort-users mailing list