[Snort-users] smtp rcpt to overflow

Edwin Eefting edwin at ...2758...
Wed Jun 5 08:33:02 EDT 2002

On Wed, 5 Jun 2002 10:44:42 -0400 Hugo Ferr <snortgrp at ...125...> wrote:

> 'SMTP RCPT TO' overflow is buffer overflow for Lotus Sevrers. I have 7444
> entries for the same exploit but I have sendmail server.
> All 744 come form the same address, it looks like guy is pretty
> persistent
> or he just cannot figuer out that this is not a Lotus server :-)
> Just want to double-check: this exploit cannnot cause any damage to
> sendmail
> systems, right?

Sometimes exploits have to be "bruteforced" for technical reasons. (finding
the right offset on a stack for example) When someone is trying to
bruteforce something, you'll see a lot of repetitions of the same
alert rule. (maybe there should be added some "count option" for such exploits
to these rules.)

Most of the time however, this is some kind of false alert of weak rule.
("weak" in like: "many false positives")

I wouldn't worry at all if you see alerts for a service you aren't running.
(just some false positives, or some kind of idot :-) It might be
interesting to search for other alerts from the same adress. If these do
exist, this could be an indication of some hacker or scriptkiddo screwing
around with your systems. :)

Hope this helps,

Met vriendelijke groet,      /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________

More information about the Snort-users mailing list