[Snort-users] Broken Signature SMTP RCPT TO

Ian Macdonald secsnort at ...5528...
Wed May 1 09:51:09 EDT 2002


alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

This signature looks broken, it is matching on rcpt but not doing a nocase.
Also I am not sure if dsize:> 800 will really do what they want to do.

Ian






More information about the Snort-users mailing list