[Snort-users] False positives with SMTP RCPT TO overflow rule
mkettler at ...4108...
Tue Jun 25 11:15:04 EDT 2002
This came up a week or so ago. My general recommendation is that unless you
run a vulnerable mailserver, kill this rule completely.
AFAIK this rule is easily bypassed by an attacker, and readily false-prone
due to SMTP command pipelining. IMHO this rule is so completely broken has
no place in a general-purpose deployment of snort.
At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
>I just updated my signatures to the latest ones (as of June 24,
>anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
More information about the Snort-users