[Snort-users] SMTP preprocessor triggering on incorrect data

Jason Haar Jason.Haar at ...294...
Mon Sep 18 15:12:03 EDT 2006


I just had an FP event generated by the SMTP preprocessor

# smtp: SMTP normalizer, protocol enforcement and buffer overflow
preprocessor smtp:   ports { 25 587 }   ignore_tls_data ignore_data  
inspection_type stateful   normalize cmds   normalize_cmds { EXPN VRFY
RCPT }   alt_max_command_line_len 260 { MAIL }  
alt_max_command_line_len 300 { RCPT }   alt_max_command_line_len 500 {
HELP HELO ETRN }   alt_max_command_line_len 255 { EXPN VRFY }


The event was "Attempted specific command buffer overflow: HELP, 941
chars", but the captured packet shows the word help was actually within
the DATA component of the SMTP stream - not a SMTP command. It was from
one of our internal Exchange servers to another Exchange server, so I
assume their initial SMTP dialog was vaguely compliant. :-)

This is snort 2.6.0.2 under RHE4


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list