[Snort-sigs] Possible false positive on SID 663

From: McKinlay, Ken <ken.mckinlay(at)dy4.com>
Date: Tue May 27 2003 - 09:35:44 EDT

Greetings,

I think I am running into a false positive situation with SID 664, revision 6 (SMTP rcpt to sed command attempt) under Snort 2.0 running on RedHat 8.

The rule, as I understand it, is supposed to trigger when a pipe symbol is followed by a "sed " but, that is not the case when I examine the packets. The packet that tripped the alert does have a pipe symbol but no where near the "sed ". In fact the sed is at the end of the word "increased ", about 1900 bytes from the pipe symbol.

The rule for me is not critical and I have disabled it since the version of sendmail I am running supposedly is not vulnerable. But I do think it should be corrected or placed on the obsolete list (according to Bugtraq it was used by the Morris worm with an "old" version of sendmail). Unfortunately I am not even close to competent in rule writing to correct this rule, can any one help me out?

Ken McKinlay, GCIA
Network Security, Dy 4 Systems
ken.mckinlay@dy4.com

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 10:33:57 2003