No subject

Thu Nov 23 16:36:19 EST 2017

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow";
flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;)

This means alert on a packet containing "rcpt to:" that is > 800 bytes. Now
in SMTP, typically a single packet is sent from the SMTP client to the
server that contains the "rcpt to:" envelope headers:


SMTP Client                                    SMTP Server
(Pck1) "ehlo xxxxx"                  ---->
                                     <----    "250-Bite me"
(Pck2) "mail from: me at ...5721..."    ---->
                                     <----    "OK"
(Pck3) "rcpt to: you at ...5722..."     ---->

So Pck3 is typically pretty small - so if Pck3 is >800 bytes - it's
indicative of a buffer overflow attempt.

However, the same rule would catch the 7th line up too. This message should
cause a trigger too ;-)

Adding an "offset: 0" option to the rule should help. In fact that would
almost completely remove false positives on that one I think? (Comments?)


Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list