[Snort-users] SMTP RCPT TO overflow

Jason Haar Jason.Haar at ...294...
Mon May 6 20:50:04 EDT 2002


On Mon, May 06, 2002 at 11:39:00PM -0400, Brian wrote:
> > Adding an "offset: 0" option to the rule should help. In fact that would
> > almost completely remove false positives on that one I think? (Comments?)
> 
> Unfortunatly, that would make us evadable.  Many mail servers
> understand "    rcpt to <stuff>" (note the spaces), so we could be
> easily evaded by adding the offset:0 stuff.

Gah. I'm responsible for Qmail-Scanner - an Email content scanner, so I am
majorly aware of how antivirus scanners (and now IDS...) have to support
every broken piece of software out there.... However, I wonder if this could
be turned into a feature. We already have "web-iis.rules", why not
"smtp-generic.rules", "smtp-strict-rfc.rules",
"smtp-borked.rules", etc.

That way those of us who care can customize their IDS to match their
environment. I use Qmail - and " rcpt to:" is NEVER going to be a problem
for me...

Then the "smtp-strict-rfc.rules" could have things like the offset to reduce
their false-positives, and the sites that have to run "smtp-borked.rules"
would have yet another reason to upgrade their servers :-)

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list