[Snort-users] [Snort-devel] snort signature failed to prevent attack in inline mode

Edward Borgoyn eborgoyn at ...1935...
Mon Sep 30 13:13:53 EDT 2013


Hello Mitesh,
  Thank you for your inquiry regarding SMTP handling within Snort.

  Do you have a pcap file that you can send to assist with our assessment
of the situation?  We believe the issue is with a limitation of the SMTP
stream flushing implementation.  There is an existing bug report that is
aimed at improving the SMTP stream flushing functionality and hence IPS
capability.

    Best Regards,
    Ed


On Sat, Sep 28, 2013 at 2:17 AM, Mitesh Jadia <mitesh.jadia at ...11827...>wrote:

> Hello,
>
>     I have one smtp based attack which is encode in format uuencode.
>     Server Response is in one single packet. But As per I know smtp
> preprocessor is working only on reassembled packets. So when client gives
> ACK of this malicious packet, server side of stream is reassembled and I
> get decoded data of server response. So in this case, snort is only able to
> detect this attack not to prevent. How I should take care of this scenario.
>
> Regards,
> Mitesh Jadia
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130930/f40f82c7/attachment.html>


More information about the Snort-users mailing list