[Snort-users] Question on 663

Jack Pepper pepperjack at ...14319...
Thu Apr 9 13:16:34 EDT 2009


and apologies to you, rmkml, because i did not notice in the bugtraq  
how RCPT ties into the debug exploitation.

It does seem like there is a typo in the rule, though.  this PCRE will  
not match the sample exploit in bugtraq.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to  
command attempt"; flow:to_server,established; content:"rcpt to|3A|";  
nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp;  
reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095;  
classtype:attempted-admin; sid:663; rev:15;)

but then i suppose that there aren't all that many sendmail 5.5.8  
still in production.

jp



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list