[Snort-users] SMTP decoder

waldo kitty wkitty42 at ...14940...
Thu Feb 12 19:19:42 EST 2015


On 2/11/2015 4:50 PM, Joel Esler (jesler) wrote:
> You’ve got your two alternatives there.  Raise the limit, or suppress the alert.
>
> Ask yourself what your action is going to be there.  “What am I going to do
> about a big SMTP server command”, if the answer is “nothing”, then suppress the
> alert.  If the answer is anything else, then use your best judgement as to what
> action you should take.

since RFC1869 allows for a larger command line length, would it be a good idea 
if snort's AMTP preprocessor allowed for different length check settings for 
each of HELO or EHLO? ;)

>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
>> On Feb 11, 2015, at 9:51 AM, Dan Roberts <danroberts2604 at ...11827...
>> <mailto:danroberts2604 at ...11827...>> wrote:
>>
>> Hello guys,
>>
>> I'm running SNORT since a few months now, and I still get a lot of alerts like:
>>
>> *"(smtp) Attempted command buffer overflow: more than 512 chars ...."*
>>
>> In the snort.conf file, we find following parameter for the smtp decoder:
>>
>> *"max_command_line_len 512"*
>>
>> Although the maximum command line length is "strictly" limited to 512 by RFC
>> 821 (HELO), the RFC 1869 (EHLO) authorize the extension of this limit:
>> ... */This specification extends the SMTP MAIL FROM and TO to allow additional
>> parameters and parameter values. It is possible that the MAIL FROM and RCPT TO
>> lines that result will exceed the 512 character limit on command line length
>> imposed by RFC 821/*.
>> ..."
>>
>> How do you,  guys, manage this ?
>> Do you simply consider these alerts as FP ?
>> Have you raised the max_command_line_len limit ?



-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list