[Snort-users] (smtp) Attempted header name buffer overflow: xx chars before colon
chris.ryan at ...348...
Tue Sep 2 10:16:41 EDT 2008
we are running snort (126.96.36.199, latest subscribers rule set) in front of
an big email infrastructure (>10000 users).
I'm getting a lot of these alerts from the smtp preprocessor:
"(smtp) Attempted header name buffer overflow: xx chars before colon",
where xx is (65 .. 255).
I found an older post on the list:
Date: 2008-03-27 12:41:50
The header name buffer overflow looks for a header name > 64 characters.
Header names are taken to be the tags in the data header, e.g.
If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts. The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.
Is your network asynchronous? Are you dropping packets? Can you
provide a pcap that generates the alert (send to <email removed>)?
Our network isn't asynchronous and we have a very, very low drop rate.
Most of the false postives seem to be newsletters or spam in html.
I can provide pcaps of that, if needed.
Is there a way of disabling that warning without disabling the hole
preprocessor? I only found these in the preproc.rules:
It seems to me that the alert message is still from the preprocessor
itself and does not use the preproc.rules.
Thanks in advance,
More information about the Snort-users