[Snort-users] False positives due to stream4 issue?

Jason Haar Jason.Haar at ...294...
Tue Apr 29 16:51:04 EDT 2003


I've noticed that the FPs I'm getting for "SMTP From comment overflow attempt"
look an entire mail message in one packet. ACID shows me the following:

 length = 2625
 
 000 : 45 48 4C 4F 20 6D 61 69 6C 33 2E 67 70 6D 6E 65   EHLO mail3.gpmne
 010 : 74 2E 63 6F 6D 0D 0A 4D 41 49 4C 20 46 72 6F 6D   t.com..MAIL From
 020 : 3A 3C 62 2E 79 6C 70 6F 69 6E 74 2E 30 2D 31 33   :<b.ylpoint.0-13
 030 : 31 65 31 xxxxxxxxxxxxxxxxxx37 6  74 72 69 6D 62   1e17f-64f0.trimb
 040 : 6C 65 2E 63 6F 6D 2E 2D 6B 61ddddddddddddddd 6E   le.com.-kxxxxxxx
 050 : 5Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 67   xxxxxxxx at ...9069...
 060 : 70 6D 6E 65 74 2E 63 6F 6D 3E 20 53 49 5A 45 3D   pmnet.com> SIZE=
 070 : 35 36 39 35 0D 0A 52 43 50 54 20 54 6F 3A 3C 6B   5695..RCPT To:<k
 080 : 61 74 68 6C 65 65 6E 5F 6D 63 6E 65 69 6C 79 40   xxxxxxxxxxxxxxx@
 090 : 74 72 69 6D 62 6C 65 2E 63 6F 6D 3E 0D 0A 44 41   trimble.com>..DA
 0a0 : 54 41 0D 0A 52 65 63 65 69 76 65 64 3A 20 28 66   TA..Received: (f
 0b0 : 72 6F 6D 20 64 61 65 6D 6F 6E 40 6C 6F 63 61 6C   rom daemon at ...9070...
 0c0 : 68 6F 73 74 29 0D 0A 09 62 79 20 6D 61 69 6C 33   host)...by mail3
 stuff deleted
 900 : 65 77 20 59 6F 72 6B 2C 20 4E 59 20 31 30 30 32   ew York, NY 1002
 910 : 33 2E 0D 0A 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   3...<><><><><><>
 920 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
 930 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
 940 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
 950 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 0D 0A 0D 0A 54 6F   <><><><><>....To
 960 : 20 75 6E 73 75 62 73 63 72 69 62 65 2C 20 67 6F    unsubscribe, go
 

Well - that ain't one packet now is it...

Length 2625, and a whole bunch of SMTP commands followed by data. I have
tested that SMTP server, and it doesn't support pipelining, so there's no
way that happened as one packet.

Any ideas what's going on there? This is Snort-2.0 under RH-7

preprocessor frag2
preprocessor stream4: disable_evasion_alerts, detect_scans, timeout 30,
 memcap 8388608 ttl_limit 0
preprocessor stream4_reassemble: noalerts, both, ports 21 23 25 53 80 3128
 143 110 111 513 8000 8080

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list