[Snort-users] Weird issue with 1.8.6 and SMTP alerts
Jason.Haar at ...294...
Sun May 19 17:28:06 EDT 2002
I'm getting hundreds of hits on the "SMTP RCPT TO overflow" rule, which
appears to be(/should be ;-) due to a bug with something.
It's recording a match on a packet that contains an ENTIRE SMTP transaction.
The rule is:
content:"rcpt to|3a|"; nocase; dsize:>800;
This should only trigger on a packet > 800 bytes that contains "rcpt to:". A
normal SMTP tranactions involves the "rcpt to:" being sent as it's own
packet - so this rule should only cause false positives with "rcpt to:"
shows up within the DATA component (like this actual message will...)
However, the alert DATA record I see via ACID looks like this:
i.e a single packet containing half the entire SMTP transaction!
That shouldn't be happening - right? I mean, that should be at least FOUR
packets there - not one...
I tcpdump'ed the link and caught one of the events. As expected, the "rcpt
to:" is sent in it's own packet - so it shouldn't have triggered the rule.
Is the "snort -z" option doing something it didn't before? Aggregating
packets into one virtual packet or something?
Strange thing is, it isn't matching on all mail - just some...
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users