[Snort-users] smtp: Attempted command buffer overflow

Bhagya Bantwal bbantwal at ...1935...
Fri Apr 19 13:12:27 EDT 2013


Phil,

This looks like a FP. Do you happen to have a pcap for this?

I will file a bug to fix this.

Thanks!
-B


On Fri, Apr 19, 2013 at 11:33 AM, Phil Daws <uxbod at ...14273...> wrote:

> Hello Shane,
>
> I am beginning to agree as its FP'ing Google, Sourceforge and many more WL
> sources.  Am going to supress those as something is not right at all.
>
> Thanks.
>
> ----- Original Message -----
> From: "Shane Castle" <scastle at ...14946...>
> To: "Phil Daws" <uxbod at ...14273...>, "snort-users at lists.sourceforge.net"
> <snort-users at lists.sourceforge.net>
> Sent: Friday, 19 April, 2013 4:25:57 PM
> Subject: RE: smtp: Attempted command buffer overflow
>
> Every one of these I have ever investigated has turned out to be FP. I
> have a full NSM installation so I can examine the complete conversation. I
> have wound up suppressing the more chatty alerts in threshold.conf. I'm on
> the point of disabling the smtp preprocessor entirely but I keep hoping
> it's doing something useful.
>
> The ones I am suppressing are 124:1, 124:7, and 124:10.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: Phil Daws [mailto:uxbod at ...14273...]
> Sent: Friday, April 19, 2013 01:38
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] smtp: Attempted command buffer overflow
>
> Still seeing a huge amount of these and the payload does not appear to be
> over the threshold.  How would one best analyze why this is happening ?
>
> Thanks.
>
> ----- Original Message -----
> From: "Phil Daws" <uxbod at ...14273...>
> To: snort-users at lists.sourceforge.net
> Sent: Wednesday, 17 April, 2013 1:38:06 PM
> Subject: Re: [Snort-users] smtp: Attempted command buffer overflow
>
> Manuel,
>
> thank you for the reply but I am at a loss as to what you mean ? I thought
> the rule was saying that the number of bytes in the HELO/EHLO line was >
> 512 as defined by :
>
> max_command_line_len 512
>
> in the preprocessor section of snort.conf.
>
> Am I wrong in my understanding ?
>
> Thanks.
>
>
> ----- Original Message -----
> From: "Manuel Garcia-Zamora" <zamoram at ...15640...>
> To: "Phil Daws" <uxbod at ...14273...>
> Sent: Wednesday, 17 April, 2013 9:33:57 AM
> Subject: RE: smtp: Attempted command buffer overflow
>
> Phil
> This probably is because that email server lists.sourceforge.net is not
> defined as corporate mail server in the email servers in the configuration
> file therefore this is not an authorized email relay server to connect by
> smtp.
>
> You should not allow any outbound SMTP , if this is for a authorized
> source then you can create an exception to the this alert by source IP
>
> Regards
>
> Manuel
>
> -----Original Message-----
> From: Phil Daws [mailto:uxbod at ...14273...]
> Sent: 17 April 2013 09:07
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] smtp: Attempted command buffer overflow
>
> Hello,
>
> have recently installed Snort and am beginning to see a lot of alerts from
> the SMTP preprocessor for SID 124:1:1. Looking at the payload data it shows:
>
> 0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65
> 2e 6e 65 74 EHLO.lists.sourceforge.net
> 000001A: 0d 0a ..
>
> this to an untrained eye looks okay so why would it be tripping the test ?
>
> Thanks.
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use our
> toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> ________________________________________________________________________
> Any opinions expressed in this email are those of the individual and not
> necessarily the company. The contents of this email and any attachments are
> confidential to The Innovation Group PLC and are solely for use by the
> intended recipient at the email address to which it has been addressed.
>
> This email and any attachments may not be disclosed to or used by anyone
> other than the intended recipient, nor may it be copied in any way. If you
> have received this email in error, please forward a copy of this email to
> itsupport at ...15640... and then delete it from your system.
>
> The Innovation Group PLC: Registered in England 3256771
> Registered Office: Yarmouth House 1300 Parkway Solent Business Park
> Whiteley Hampshire PO15 7AE UK
> http://www.innovation-group.com
>
> This email and any attachments has been swept for computer viruses.
> Neither The Innovation Group PLC nor the sender accept any responsibility
> for computer viruses once this email has been transmitted.
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130419/4cedf2c8/attachment.html>


More information about the Snort-users mailing list