[Snort-users] SMTP decoder

Dan Roberts danroberts2604 at ...11827...
Wed Feb 11 09:51:36 EST 2015


Hello guys,

I'm running SNORT since a few months now, and I still get a lot of alerts
like:

*"(smtp) Attempted command buffer overflow: more than 512 chars ...."*

In the snort.conf file, we find following parameter for the smtp decoder:

*"max_command_line_len 512"*

Although the maximum command line length is "strictly" limited to 512 by
RFC 821 (HELO), the RFC 1869 (EHLO) authorize the extension of this limit:
... *This specification extends the SMTP MAIL FROM and TO to allow
additional parameters and parameter values. It is possible that the MAIL
FROM and RCPT TO lines that result will exceed the 512 character limit on
command line length imposed by RFC 821*.
..."

How do you,  guys, manage this ?

Do you simply consider these alerts as FP ?
Have you raised the max_command_line_len limit ?

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150211/3f51ad6f/attachment.html>


More information about the Snort-users mailing list