[Snort-users] SMTP HELO overflow attempt
secsnort at ...5528...
Tue Jul 30 14:36:02 EDT 2002
This rules is for lotus notes. You can ignore it if you are not running
----- Original Message -----
From: "Andreas Hasenack" <andreas at ...1574...>
To: "Capps Family" <capps27 at ...4371...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, July 30, 2002 4:01 PM
Subject: Re: [Snort-users] SMTP HELO overflow attempt
> Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:
> > I then configured snort to log with the "X" option. When I compared
> > the data captured for that IP with the same data in the tcpdump
> > packet, the IP header looks completely different. Tcpdump looks
> > perfect, the snort dump ip header data looks like it's been
> > corrupted.
> I've also seen some sort of corruption recently and I also have been
> my head. What I see sometimes is some sort of overlapping happening with
> the data in the payload of HTTP packets.
> I also catched the most weird "scan" (snort called it a FIN scan): a tcp
> segment with only FIN set (no ACK flag set, but with an ACK number),
> to port 53, and with a mail-like payload, with smtp commands, such as
> FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a
> parallel tcpdump running, so I don't know if the packet was really like
> or if some corruption took place.
> I'm using Version 1.8.7beta5 (Build 121)
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users