[Snort-users] Correct Link for the Snort Virtual Users Group

Mike Guiterman mike.guiterman at ...1935...
Tue Sep 19 09:37:27 EDT 2006


Hi all,

My apologies for the bad link.  The correct link to register for the Virtual
Users Group is below:

https://sourcefire.webex.com/sourcefire/j.php?ED=86930197&RG=1


Mike


On 9/18/06 10:51 PM, "snort-users-request at lists.sourceforge.net"
<snort-users-request at lists.sourceforge.net> wrote:

> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> snort-users-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. SMTP preprocessor triggering on incorrect data (Jason Haar)
>    2. Inaugural Snort Virtual Users Group Meeting Sept. 28
>       (Mike Guiterman)
>    3. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28
>       (Will Metcalf)
>    4. Re: Inaugural Snort Virtual Users Group Meeting Sept. 28 (Jason)
>    5. Re: error: log_tcpdump TcpdumpInitlogefile():no error (Joel Esler)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 19 Sep 2006 07:12:03 +1200
> From: Jason Haar <Jason.Haar at ...294...>
> Subject: [Snort-users] SMTP preprocessor triggering on incorrect data
> To: snort-users at lists.sourceforge.net
> Message-ID: <450EEF83.3040003 at ...294...>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I just had an FP event generated by the SMTP preprocessor
> 
> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
> preprocessor smtp:   ports { 25 587 }   ignore_tls_data ignore_data
> inspection_type stateful   normalize cmds   normalize_cmds { EXPN VRFY
> RCPT }   alt_max_command_line_len 260 { MAIL }
> alt_max_command_line_len 300 { RCPT }   alt_max_command_line_len 500 {
> HELP HELO ETRN }   alt_max_command_line_len 255 { EXPN VRFY }
> 
> 
> The event was "Attempted specific command buffer overflow: HELP, 941
> chars", but the captured packet shows the word help was actually within
> the DATA component of the SMTP stream - not a SMTP command. It was from
> one of our internal Exchange servers to another Exchange server, so I
> assume their initial SMTP dialog was vaguely compliant. :-)
> 
> This is snort 2.6.0.2 under RHE4
> 






More information about the Snort-users mailing list