'[Snort-sigs] SMTP HELO overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] SMTP HELO overflow
From:       "Ian Macdonald" <secsnortsigs () dirk ! demon ! co ! uk>
Date:       2002-08-14 16:27:08
[Download RAW message or body]

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt
"; flags:A+; dsize:>500; content:"HELO "; offset:0; depth:5;
reference:cve,CVE-2
000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549;
rev:8;)


Please Update to

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow
attempt
"; flags:A+; dsize:>500; content:"HELO "; offset:0; depth:5; content: !"|0D
0A|MAIL FROM:"; reference:cve,CVE-2
000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549;
rev:9;)


This should eliminate false positives for this kind of data

HELO XXX.com
MAIL FROM:<XXX@XXX.com>
RCPT TO:<XXXX@XXXX.com>
DATA




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic