[Snort-users] (smtp) Attempted header name buffer overflow: xx chars before colon
twease at ...1935...
Tue Sep 2 10:28:27 EDT 2008
This should be fixed in 2.8.3. For now, you can comment the
SMTP_HEADER_NAME_OVERFLOW rule in preproc.rules. To utilize the
preproc.rules you need to compile Snort with
"--enable-decoder-preprocessor-rules" and uncomment "include
$PREPROC_RULE_PATH/preprocessor.rules" in snort.conf.
chris ryan wrote:
> we are running snort (188.8.131.52, latest subscribers rule set) in front of
> an big email infrastructure (>10000 users).
> I'm getting a lot of these alerts from the smtp preprocessor:
> "(smtp) Attempted header name buffer overflow: xx chars before colon",
> where xx is (65 .. 255).
> I found an older post on the list:
> Todd Wease
> Date: 2008-03-27 12:41:50
> The header name buffer overflow looks for a header name > 64 characters.
> Header names are taken to be the tags in the data header, e.g.
> If the number of characters before the ":" is more than 64 characters
> the smtp preprocessor alerts. The max_header_line_len has nothing to do
> with this - it looks for the length of the entire line.
> Is your network asynchronous? Are you dropping packets? Can you
> provide a pcap that generates the alert (send to <email removed>)?
> Our network isn't asynchronous and we have a very, very low drop rate.
> Most of the false postives seem to be newsletters or spam in html.
> I can provide pcaps of that, if needed.
> Is there a way of disabling that warning without disabling the hole
> preprocessor? I only found these in the preproc.rules:
> It seems to me that the alert message is still from the preprocessor
> itself and does not use the preproc.rules.
> Thanks in advance,
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users