[Snort-users] XEXCH50 evasion rule parse problems?

Erik Norman erik.norman at ...10674...
Wed Dec 3 08:42:05 EST 2003

Hi all,

Starting from this morning, I'm getting alarms regarding XEXCH50 evasion
attempt (sid 2253, 2254). In my opinion, the conditions for that rule is not
met, but still generates an alarm!

More detailed information below.

Now what? Is this a known issue? As I'm not participating in snort-users
list, please cc me in case of a reply.

Btw, snort rules! Thank you guys.


The rule
The rule says that a '-' should be within 1 distance away from the XEXCH50
keyword. Right?

...msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established;
content:"XEXCH50"; nocase; content:"-"; distance:1;...

Packet extract
-snip- 50  x at ...10675...>..RCP
-snip- 76  T TO:<xxx.xxxxxx
-snip- 0A  xxx at ...10676...>..
-snip- 0A  XEXCH50 1940 2..

Snort 2.0.4 on NetBSD 1.6.1

More information about the Snort-users mailing list