[Snort-users] False positives with SMTP RCPT TO overflow rule

Slighter, Tim tslighter at ...5174...
Tue Jun 25 12:10:08 EDT 2002

Adding to that, I am fairly certain that this rule pertains to Lotus Notes.

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...]
Sent: Tuesday, June 25, 2002 12:16 PM
To: Nels Lindquist; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] False positives with SMTP RCPT TO overflow

This came up a week or so ago. My general recommendation is that unless you 
run a vulnerable mailserver, kill this rule completely.

AFAIK this rule is easily bypassed by an attacker, and readily false-prone 
due to SMTP command pipelining. IMHO this rule is so completely broken has 
no place in a general-purpose deployment of snort.

At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
>Hi there.
>I just updated my signatures to the latest ones (as of June 24,
>anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO

This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list