[Snort-users] False positives with SMTP RCPT TO overflow rule

Nels Lindquist nlindq at ...3834...
Thu Jun 27 09:36:02 EDT 2002


This seems to have dropped into the bit bucket the first time I sent 
it, so here we go again:

On 25 Jun 2002 at 14:16, Matt Kettler wrote:

> At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
> >
> >I just updated my signatures to the latest ones (as of June 24,
> >anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
> >overflow.

> This came up a week or so ago. My general recommendation is that unless you 
> run a vulnerable mailserver, kill this rule completely.

Will do.
 
> AFAIK this rule is easily bypassed by an attacker, and readily false-prone 
> due to SMTP command pipelining. IMHO this rule is so completely broken has 
> no place in a general-purpose deployment of snort.

I noticed in the archived Bugtraq description of the vulnerability 
that no known exploit exists.  Does that make it difficult/impossible 
to create a signature specific to this vulnerability?

Speaking of general-purpose snort deployments, are there any 
documented recommendations for which rules/rulesets ought to be 
included?  Or is it just a given that one should be reviewing each 
and every rule for applicability to one's own situation?  I looked 
through the Snort docs, but they seem to be more tailored to rule 
creation.  If I didn't RTFM carefully enough, please let me know.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.





More information about the Snort-users mailing list