[Snort-users] SMTP RCPT TO overflow
Jason.Haar at ...294...
Mon May 6 20:50:04 EDT 2002
On Mon, May 06, 2002 at 11:39:00PM -0400, Brian wrote:
> > Adding an "offset: 0" option to the rule should help. In fact that would
> > almost completely remove false positives on that one I think? (Comments?)
> Unfortunatly, that would make us evadable. Many mail servers
> understand " rcpt to <stuff>" (note the spaces), so we could be
> easily evaded by adding the offset:0 stuff.
Gah. I'm responsible for Qmail-Scanner - an Email content scanner, so I am
majorly aware of how antivirus scanners (and now IDS...) have to support
every broken piece of software out there.... However, I wonder if this could
be turned into a feature. We already have "web-iis.rules", why not
That way those of us who care can customize their IDS to match their
environment. I use Qmail - and " rcpt to:" is NEVER going to be a problem
Then the "smtp-strict-rfc.rules" could have things like the offset to reduce
their false-positives, and the sites that have to run "smtp-borked.rules"
would have yet another reason to upgrade their servers :-)
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users