[Snort-users] SMTP HELO overflow attempt

Ian Macdonald secsnort at ...5528...
Tue Jul 30 14:36:02 EDT 2002


This rules is for lotus notes. You can ignore it if you are not running
lotus notes

Thanks

----- Original Message -----
From: "Andreas Hasenack" <andreas at ...1574...>
To: "Capps Family" <capps27 at ...4371...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, July 30, 2002 4:01 PM
Subject: Re: [Snort-users] SMTP HELO overflow attempt


> Em Mon, Jul 29, 2002 at 07:14:17PM -0700, Capps Family escreveu:
> >    I then configured snort to log with the "X" option.  When I compared
> >    the data captured for that IP with the same data in the tcpdump
> >    packet, the IP header looks completely different.  Tcpdump looks
> >    perfect, the snort dump ip header data looks like it's been
> >    corrupted.
>
> I've also seen some sort of corruption recently and I also have been
scratching
> my head. What I see sometimes is some sort of overlapping happening with
> the data in the payload of HTTP packets.
>
> I also catched the most weird "scan" (snort called it a FIN scan): a tcp
> segment with only FIN set (no ACK flag set, but with an ACK number),
directed
> to port 53, and with a mail-like payload, with smtp commands, such as
"MAIL
> FROM:", "DATA" and "QUIT", and a TCP header length of zero. Didn't have a
> parallel tcpdump running, so I don't know if the packet was really like
this
> or if some corruption took place.
>
> I'm using Version 1.8.7beta5 (Build 121)
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list