[Snort-users] smtp: Attempted command buffer overflow

Phil Daws uxbod at ...14273...
Wed Apr 17 08:38:06 EDT 2013


thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of bytes in the HELO/EHLO line was > 512 as defined by : 

max_command_line_len 512 

in the preprocessor section of snort.conf. 

Am I wrong in my understanding ? 


----- Original Message ----- 
From: "Manuel Garcia-Zamora" <zamoram at ...15640...> 
To: "Phil Daws" <uxbod at ...14273...> 
Sent: Wednesday, 17 April, 2013 9:33:57 AM 
Subject: RE: smtp: Attempted command buffer overflow 

This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email servers in the configuration file therefore this is not an authorized email relay server to connect by smtp. 

You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the this alert by source IP 



-----Original Message----- 
From: Phil Daws [mailto:uxbod at ...14273...] 
Sent: 17 April 2013 09:07 
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] smtp: Attempted command buffer overflow 


have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. Looking at the payload data it shows: 

0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net 
000001A: 0d 0a .. 

this to an untrained eye looks okay so why would it be tripping the test ? 


Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
Snort-users list archive: 

Please visit http://blog.snort.org to stay current on all the latest Snort news! 

Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient at the email address to which it has been addressed. 

This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it be copied in any way. If you have received this email in error, please forward a copy of this email to itsupport at ...15640... and then delete it from your system. 

The Innovation Group PLC: Registered in England 3256771 
Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK 

This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender accept any responsibility for computer viruses once this email has been transmitted. 

More information about the Snort-users mailing list