Hosting Provided By

Re: [Snort-sigs] False Positive on SMTP HELO Overflow

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Wed Apr 30 2003 - 17:05:07 EDT

On Tue, Apr 29, 2003 at 02:20:05PM -0500, Matthew Callaway wrote:
> Here is a new version of this signature that works correctly:

Yeah - the "at least one char at 500 bytes" is needed as I'm currently getting tonnes of FPs on some spammer SMTP server sending "HELO \r\n" - i.e. no name string. Looking for any other other char would stop that FP.

..but I still don't think regex is ready in 2.0??

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Wed Apr 30 17:41:26 2003

This message: [ Message body ]
Next message: Jason Haar: "[Snort-sigs] Netbios rules are case sensitive?"
In reply to Matthew Callaway: "Re: [Snort-sigs] False Positive on SMTP HELO Overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT