[Snort-users] False positives with SMTP RCPT TO overflow rule

Chris Green cmg at ...1935...
Thu Jun 27 12:35:03 EDT 2002


Just as an FYI, these alerts are a bit more common than they used to
be because of a change in stream reassembly. In snort 1.9 series,
we've changed the dsize keyword to return 0 if its a rebuilt packet.
Better analysis capabilities are in the works but this mitigates
things a bit.

Cheers,
Chris
-- 
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list