[Snort-users] SMTP RCPT TO overflow

Jhumri Tilayia tilayia at ...125...
Thu Apr 25 15:25:29 EDT 2002


It's obvious that the following rule is setting off the alert:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; 
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; 
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

Is the dsize:>800 for the packet or only for the content ? We are not sure 
what is setting off the alert since our maillogs don't indicate mail being 
sent to a recipient with a very long name or control characters etc. in the 
name. Anyone else experience something similar ?


Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the Snort-users mailing list