[Snort-users] False positives with SMTP RCPT TO overflow rule

Nels Lindquist nlindq at ...3834...
Tue Jun 25 10:10:03 EDT 2002


Hi there.

I just updated my signatures to the latest ones (as of June 24, 
anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO 
overflow.

Looking at the payloads in ACID, every one of the alerts appears to 
be a false positive, ie, part of a legitimate SMTP conversation.

I did a comparison between the older version of the signature I was 
using previously, and the only difference is the addition of the 
"nocase" option.


More information about the Snort-users mailing list