[Snort-users] SMTP RCPT TO overflow
tilayia at ...125...
Thu Apr 25 15:25:29 EDT 2002
It's obvious that the following rule is setting off the alert:
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)
Is the dsize:>800 for the packet or only for the content ? We are not sure
what is setting off the alert since our maillogs don't indicate mail being
sent to a recipient with a very long name or control characters etc. in the
name. Anyone else experience something similar ?
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the Snort-users