[Snort-users] False positives with SMTP RCPT TO overflow rule
nlindq at ...3834...
Thu Jun 27 09:36:02 EDT 2002
This seems to have dropped into the bit bucket the first time I sent
it, so here we go again:
On 25 Jun 2002 at 14:16, Matt Kettler wrote:
> At 11:09 AM 6/25/2002 -0600, Nels Lindquist wrote:
> >I just updated my signatures to the latest ones (as of June 24,
> >anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO
> This came up a week or so ago. My general recommendation is that unless you
> run a vulnerable mailserver, kill this rule completely.
> AFAIK this rule is easily bypassed by an attacker, and readily false-prone
> due to SMTP command pipelining. IMHO this rule is so completely broken has
> no place in a general-purpose deployment of snort.
I noticed in the archived Bugtraq description of the vulnerability
that no known exploit exists. Does that make it difficult/impossible
to create a signature specific to this vulnerability?
Speaking of general-purpose snort deployments, are there any
documented recommendations for which rules/rulesets ought to be
included? Or is it just a given that one should be reviewing each
and every rule for applicability to one's own situation? I looked
through the Snort docs, but they seem to be more tailored to rule
creation. If I didn't RTFM carefully enough, please let me know.
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the Snort-users