[Snort-users] False positives

Chris Osicki osk at ...3916...
Tue Oct 30 07:45:02 EST 2001


I know what this rule is supposed to alert about, it triggers on 
_every_ "rcpt to:" packet longer than 800 bytes though.
I know I could comment it out, but my goal is to collect as much 
as possible traces of attacks, even if they are not relevant for
my current infrastructure. They are potential threats and I want 
to know about them.
Anyway, thanks for your reply and suggestion.


> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> ------_=_NextPart_001_01C16153.6471D5A5
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> This rule triggers on a Lotus Domino Mail Server overflow error. Do you have
> a Domino Mail server? If not comment out the rule. I had a bunch of these
> false positives with Exchange so I simply commented out the rule. Here's the
> CVE:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260
> Mike
> -----Original Message-----
> From: Chris Osicki [mailto:osk at ...3916...]
> Sent: Tuesday, October 30, 2001 9:11 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] False positives
> Hi,
> I'm trying to reduce the number of false positives I'm getting.
> One of the "over sensitive" rule is this one:
> alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; 
> flags:A+; content: "rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; 
> reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)
> which alarms every time there is a packet containing "rcpt to:"
> and the packet payload is more than 800 bytes. Which is not necessarily
> the length of recipients list to "rcpt to:".
> [fire-proof overalls on]
> Having a kind of limited regular expressions or wild-cards and a way
> to reference the size of the matched string would be, at least in this 
> case, useful. Like  `content: "rcpt to|3a|*|0d 0a|"; msize:>800'
> I don't have enough experience with snort to estimate how 
> useful could it be to help detect other buffer overflows.
> Just wanted to share my thoughts.
> Regards,
> Chris
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list