[Snort-users] SMTP Preprocessor : X-ANONYMOUSTLS command

stephane.nasdrovisky at ...12261... stephane.nasdrovisky at ...12261...
Thu Mar 12 09:22:10 EDT 2015


More digging in the sources tells me:
The message more than x chars comes before checking for the commmand. You'll probably have to wait for version 3.

A different check for starttls and x-anonymoustls would be nice.

The file src/dynamic_preprocessors/snort_smtp.c contains

smtp_known_cmds
    "*"              CMD_ABORT
(there’s a starttls or ehlo command but no X- command)

SMTP_HandleCommand
    check for command line exceeding maximum
                SMTP_GenerateAlert(SMTP_COMMAND_OVERFLOW, "%s: more than %d chars",
                            SMTP_COMMAND_OVERFLOW_STR, smtp_eval_config->max_command_line_len);

        case CMD_ABORT:
            smtp_ssn->state_flags |= SMTP_FLAG_ABORT;

From: Dan Roberts 

My questions were regarding the way it is managed by snort......
  I'm getting continuously FP (I presume) alerts associated to SMTP traffic (124:1:1 (smtp) Attempted command buffer overflow: more than 512 chars).
I bet for a FP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150312/91e6cc8a/attachment.html>


More information about the Snort-users mailing list