[Snort-users] SID 1549 alerts -- what the heck is this ?

Matt Kettler mkettler at ...4108...
Fri May 16 14:43:08 EDT 2003


I've seen a lot of these too.. after doing some study, I have to conclude 
it's bugs in various mailservers where some of them don't send the correct 
end-of-line sequence.

RFC 821 specifications say that HELO MUST be terminated with a CR LF pair.

However, it appears some mail exchangers only send a CR. Others only send 
an LF.

For this rule, snort is looking for a LF, but the exchanger in question 
only sent a CR (in violation of the RFC).

I guess to make this rule not false-pos it would need to be re-written to 
fix it.


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow 
attempt"; f
low:to_server,established; content:"HELO "; offset:0; depth:5; 
content:!"|0d|"; with
in:500; reference:cve,CVE-2000-0042; reference:nessus,10324; 
classtype:attempted-adm
in; sid:1549; rev:9;)

would need to become something like this:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow 
attempt"; f
low:to_server,established; content:"HELO "; offset:0; depth:5; 
content:!"|0d|"; within:500; content:!"|0a|"; with
in:500; reference:cve,CVE-2000-0042; reference:nessus,10324; 
classtype:attempted-adm
in; sid:1001549; rev:10;)

I'm going to be testing this version on my system for a while. It should 
theoretically work and only false-pos on systems that send the 
super-strange LF CF instead of "CR LF" or just bare CR or just bare LF.



At 03:27 PM 5/16/2003 -0500, Fritsche, Jeff wrote:

>Getting a bunch of these.   Why the alarms ???
>
>NOTE:   the "HELO xxx-xxx-xxx-xxx.xxxxx xxxxxxxx."  had our server ip
>address and company name in it so I "x"'d them out.
>
>Thanks
>
>
>[**] SMTP HELO overflow attempt [**]
>05/16-15:04:39.440732 200.77.249.165:1982 -> xxx.xxx.xxx.xx:25
>TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:75
>***AP*** Seq: 0x7A546B80  Ack: 0xF40B73B1  Win: 0x410F  TcpLen: 20
>0x0000: 00 08 A1 11 04 3D 00 40 10 12 C0 B4 08 00 45 10  .....=. at ...9212...
>0x0010: 00 4B 00 00 00 00 F0 06 00 00 C8 4D F9 A5 C0 A8  .K.........M....
>0x0020: A8 0D 07 BE 00 19 7A 54 6B 80 F4 0B 73 B1 50 18  ......zTk...s.P.
>0x0030: 41 0F 00 00 00 00 48 45 4C 4F 20 xx xx xx 2D xx  A.....HELO xxx-x
>0x0040: xx xx 2D xx xx xx 2D xx xx xx 2E xx xx xx xx xx  xx-xxx-xxx.xxxxx
>0x0050: xx xx xx xx xx xx xx xx 0D                       xxxxxxxx.
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: If flattening out C++ or Java
>code to make your application fit in a relational database is painful,
>don't do it! Check out ObjectStore. Now part of Progress Software.
>http://www.objectstore.net/sourceforge
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list