[Snort-users] SMTP ETRN overflow attempt

NO JUNK MAIL no_junk-mail at ...2146...
Tue May 6 12:16:34 EDT 2003


Hello

I'm trying to modify this signature because it is being trigering "SMTP ETRN" alert when encrypted email come in that have "etrn" in them.   Going throught the sessions, and raw packets, you can find "etrn" in the encryption algarithum that was generated.  I'd like to narrow it up if possible.  Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack.  

Snort Signature;

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;) 

Dragon Signature;

T D A S 5 10 25 SMTP:ETRN etrn/0d

They both only look for "etrn" and a carrige return.  I'd like it a little longer

Thanks 

Robert

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup





More information about the Snort-users mailing list