[Snort-users] SMTP Preprocessor : X-ANONYMOUSTLS command

Al Lewis (allewi) allewi at ...589...
Wed Mar 11 09:30:35 EDT 2015


Hello,

I would think that the “"SMTP_UNKNOWN_CMD” 124:5 command would have alerted once you added it to alert on unknown cmds if it is indeed unknown.

Is the data for this new command longer than 512 chars? Im asking because you are not getting alerts for unknown commands but just the length of the command.

If it is then you may want to change the “max_command_line_len 512” to something larger. Below is the section from the SMTP preprocessor section 42.


http://manual.snort.org/node17.html#SECTION00328000000000000000


“max_command_line_len <int>
Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length.”




A pcap and conf file would help a lot but I know this is not always possible. ☺


Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Dan Roberts [mailto:danroberts2604 at ...11827...]
Sent: Wednesday, March 11, 2015 5:36 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SMTP Preprocessor : X-ANONYMOUSTLS command

Hi Guys,

I'm getting continuously FP (I presume) alerts associated to SMTP traffic (124:1:1 (smtp) Attempted command buffer overflow: more than 512 chars).

One week ago I made a trace and noticed that many MS Exchange servers on our networks use a special SMTP command (X-ANONYMOUSTLS) not referenced in the Snort SMTP preprocessor.

First, I tried to add "alert_unknown_cmds" to see if the preprocessor didn't know that command. No output at all.

Then, I tried to list all the commands understood by the preprocessor, using "print_cmds" and restarted snort with -M to have time to investigate the output of the command. Again, no output at all.....

Did someone use those commands successfully once ?

Additionally, I'm wondering why is there so few information about that X-ANONYMOUSTLS  command...


Cheers

Dan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/cf0d3af6/attachment.html>


More information about the Snort-users mailing list