[Snort-users] SNORT and SMTP RBLs

David Flanigan dave at ...6218...
Tue Jul 2 06:41:44 EDT 2002


Hello:

 It seems snort reports the disconection assiciated with Sendmail RBL 
(realtime blackholes) as an "Attempted Administrative Privilege Gain" via 
SMTP HELO or RCPT TO overflow. 

 We use RBLs to keep the spam down. Is there a way to modify the rule so it 
dosn't mis report this? I hate to disable two otherwise good rules. 



Jul  1 19:40:14 dflx snort: [1:1549:5] SMTP HELO overflow attempt 
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
193.225.10.130:18929 -> 67.36.126.141:25
Jul  1 20:18:33 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
130.155.191.236:2695 -> 67.36.126.141:25
Jul  1 20:20:07 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
210.115.125.11:3857 -> 67.36.126.141:25
Jul  1 20:22:22 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
204.152.184.27:1625 -> 67.36.126.141:25
Jul  1 20:23:03 dflx snort: [1:654:5] SMTP RCPT TO overflow [Classification: 
Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 
66.46.150.18:43636 -> 67.36.126.141:25
--
Kind Regards, 
David A. Flanigan

dave at ...6218...
http://www.flanigan.net





More information about the Snort-users mailing list