[Snort-users] False positives with SMTP RCPT TO overflow rule

Matt Kettler mkettler at ...4108...
Tue Jun 25 11:15:04 EDT 2002


This came up a week or so ago. My general recommendation is that unless you 
run a vulnerable mailserver, kill this rule completely.

AFAIK this rule is easily bypassed by an attacker, and readily false-prone 
due to SMTP command pipelining. IMHO this rule is so completely broken has 
no place in a general-purpose deployment of snort.

At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
>Hi there.
>
>I just updated my signatures to the latest ones (as of June 24,
>anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
>overflow.





More information about the Snort-users mailing list