[Snort-users] (smtp) Attempted header name buffer overflow: xx chars before colon

chris ryan chris.ryan at ...348...
Tue Sep 2 10:16:41 EDT 2008


Hi,

we are running snort (2.8.2.1, latest subscribers rule set) in front of
an big email infrastructure (>10000 users).

I'm getting a lot of these alerts from the smtp preprocessor:
"(smtp) Attempted header name buffer overflow: xx chars before colon",
where xx is (65 .. 255).

I found an older post on the list:

>----
Todd Wease
Date: 2008-03-27 12:41:50

The header name buffer overflow looks for a header name > 64 characters.
Header names are taken to be the tags in the data header, e.g.

Subject:
Return-Path:
Received:
etc.

If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts.  The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.

Is your network asynchronous?  Are you dropping packets?  Can you
provide a pcap that generates the alert (send to <email removed>)?
>----

Our network isn't asynchronous and we have a very, very low drop rate.
Most of the false postives seem to be newsletters or spam in html.
I can provide pcaps of that, if needed.

Is there a way of disabling that warning without disabling the hole
preprocessor? I only found these in the preproc.rules:
SMTP_COMMAND_OVERFLOW
SMTP_DATA_HDR_OVERFLOW
SMTP_RESPONSE_OVERFLOW
SMTP_SPECIFIC_CMD_OVERFLOW
SMTP_UNKNOWN_CMD
SMTP_ILLEGAL_CMD
SMTP_HEADER_NAME_OVERFLOW

It seems to me that the alert message is still from the preprocessor
itself and does not use the preproc.rules.


Thanks in advance,
Chris.






More information about the Snort-users mailing list