[Snort-users] SMTP Preprocessor : X-ANONYMOUSTLS command

Dan Roberts danroberts2604 at ...11827...
Wed Mar 11 05:35:40 EDT 2015

Hi Guys,

I'm getting continuously FP (I presume) alerts associated to SMTP traffic
(124:1:1 (smtp) Attempted command buffer overflow: more than 512 chars).

One week ago I made a trace and noticed that many MS Exchange servers on
our networks use a special SMTP command (X-ANONYMOUSTLS) not referenced in
the Snort SMTP preprocessor.

First, I tried to add "alert_unknown_cmds" to see if the preprocessor
didn't know that command. No output at all.

Then, I tried to list all the commands understood by the preprocessor,
using "print_cmds" and restarted snort with -M to have time to investigate
the output of the command. Again, no output at all.....

Did someone use those commands successfully once ?

Additionally, I'm wondering why is there so few information about
that X-ANONYMOUSTLS  command...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/c192037d/attachment.html>

More information about the Snort-users mailing list