[Snort-users] max_header_line_len

Todd Wease twease at ...1935...
Thu Mar 27 07:41:50 EDT 2008


Hi Serdar,

The header name buffer overflow looks for a header name > 64 characters.
 Header names are taken to be the tags in the data header, e.g.

Subject:
Return-Path:
Received:
etc.

If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts.  The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.

Is your network asynchronous?  Are you dropping packets?  Can you
provide a pcap that generates the alert (send to bugs at ...950...)?

Thanks,
Todd

serdar uzun wrote:
> Hi,
> 
> My Snort alerts many times with "smtp: Attempted header name buffer
> overflow".
> Then I cleared the line "max_header_line_len .." in snort.conf. But it
> has been continueing with same alert. What may be the problem?
> 
> ------------------------------------------------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo!
> Search.
> <http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list