[Snort-users] False positives with SMTP RCPT TO overflow rule

Chris Green cmg at ...1935...
Thu Jun 27 12:35:03 EDT 2002

Just as an FYI, these alerts are a bit more common than they used to
be because of a change in stream reassembly. In snort 1.9 series,
we've changed the dsize keyword to return 0 if its a rebuilt packet.
Better analysis capabilities are in the works but this mitigates
things a bit.

Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.

More information about the Snort-users mailing list