Hosting Provided By

Re: [Snort-sigs] False Positive on SMTP HELO Overflow

From: Matthew Callaway <matt(at)securepipe.com>
Date: Tue Apr 29 2003 - 15:20:05 EDT

Here is a new version of this signature that works correctly:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; content: "?"; offset: 499; regex; reference:cve,CVE-2000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549; rev:10;)

ie: "HELO " from byte 0 to 5, but no LF within 500 bytes, and at least one char at 500 bytes.

I have tested this with snort-1.9.1 and it works. I'm not sure if snort-2.0.0 supports regex anymore.

Matthew Callaway            | matt@securepipe.com
Project Manager             | Tel: 608.294.6940
Firewall and VPN Technology | Fax: 608.294.6950
SecurePipe, Inc.            | Web: www.securepipe.com
-----------------------------------------------------

On Mon, 28 Apr 2003, Ron Shuck wrote:

> Hi All,

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 30 09:48:29 2003

This message: [ Message body ]
Next message: Jason Haar: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"
Previous message: Erik Alexander Løkken: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"
In reply to Ron Shuck: "[Snort-sigs] False Positive on SMTP HELO Overflow"
Next in thread: Jason Haar: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"
Reply: Jason Haar: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Do you need help?