[Snort-users] Weird issue with 1.8.6 and SMTP alerts

Jason Haar Jason.Haar at ...294...
Sun May 19 17:28:06 EDT 2002


I'm getting hundreds of hits on the "SMTP RCPT TO overflow" rule, which
appears to be(/should be ;-) due to a bug with something.

It's recording a match on a packet that contains an ENTIRE SMTP transaction.

The rule is:

content:"rcpt to|3a|"; nocase; dsize:>800; 

This should only trigger on a packet > 800 bytes that contains "rcpt to:". A
normal SMTP tranactions involves the "rcpt to:" being sent as it's own
packet - so this rule should only cause false positives with "rcpt to:"
shows up within the DATA component (like this actual message will...)

However, the alert DATA record I see via ACID looks like this:

EHLO servername<CRLF>
MAIL FROM:<address><CRLF>
RCPT TO:<address><CRLF>
DATA<CRLF>
xxxxxx
xxx
xxx



i.e a single packet containing half the entire SMTP transaction!

That shouldn't be happening - right? I mean, that should be at least FOUR
packets there - not one...

I tcpdump'ed the link and caught one of the events. As expected, the "rcpt
to:" is sent in it's own packet - so it shouldn't have triggered the rule.

Is the "snort -z" option doing something it didn't before? Aggregating
packets into one virtual packet or something?

Strange thing is, it isn't matching on all mail - just some...

Any ideas?

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list