[Snort-sigs] SMTP rcpt to sed command attempt

This sig triggers too may false positives.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)

As written, this rule will trigger on any mail message that contains an | followed by "sed " anywhere in the message. I take it that distance:0 is meant to order the strings. Perhaps you should add some within clauses to reign it in.

--
Tony Lill,                         Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- 
http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. 
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs