[Snort-users] False positives due to stream4 issue?
mkettler at ...4108...
Tue Apr 29 17:33:06 EDT 2003
At 11:50 AM 4/30/2003 +1200, Jason Haar wrote:
>I've noticed that the FPs I'm getting for "SMTP From comment overflow attempt"
>look an entire mail message in one packet. ACID shows me the following:
Are you using snort 2.0? the rule in 2.0 shouldn't have fired on this. It
should also be looking for a pair of closely spaced ( ) characters after
the string of <><><><> stuff.
And you're right, it is a re-assembled stream, but the rule is (should be)
designed to deal with that.
In fact, presenting that data in that fashion is pretty much what stream4
should be doing (although I'd argue it should have flushed the data through
each time your server responded. So it should have appeared as if it were 4
packets, regardless of the actual number of IP layer packets, which could
be significantly greater).
More information about the Snort-users