[Snort-users] smtp: Attempted command buffer overflow
uxbod at ...14273...
Wed Apr 17 08:38:06 EDT 2013
thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of bytes in the HELO/EHLO line was > 512 as defined by :
in the preprocessor section of snort.conf.
Am I wrong in my understanding ?
----- Original Message -----
From: "Manuel Garcia-Zamora" <zamoram at ...15640...>
To: "Phil Daws" <uxbod at ...14273...>
Sent: Wednesday, 17 April, 2013 9:33:57 AM
Subject: RE: smtp: Attempted command buffer overflow
This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email servers in the configuration file therefore this is not an authorized email relay server to connect by smtp.
You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the this alert by source IP
From: Phil Daws [mailto:uxbod at ...14273...]
Sent: 17 April 2013 09:07
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] smtp: Attempted command buffer overflow
have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. Looking at the payload data it shows:
0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net
000001A: 0d 0a ..
this to an untrained eye looks okay so why would it be tripping the test ?
Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient at the email address to which it has been addressed.
This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it be copied in any way. If you have received this email in error, please forward a copy of this email to itsupport at ...15640... and then delete it from your system.
The Innovation Group PLC: Registered in England 3256771
Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK
This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender accept any responsibility for computer viruses once this email has been transmitted.
More information about the Snort-users