'Re: [Snort-users] max_header_line_len'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] max_header_line_len
From:       Todd Wease <twease () sourcefire ! com>
Date:       2008-03-27 11:41:50
Message-ID: 47EB87FE.7080609 () sourcefire ! com
[Download RAW message or body]

Hi Serdar,

The header name buffer overflow looks for a header name > 64 characters.
 Header names are taken to be the tags in the data header, e.g.

Subject:
Return-Path:
Received:
etc.

If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts.  The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.

Is your network asynchronous?  Are you dropping packets?  Can you
provide a pcap that generates the alert (send to bugs@snort.org)?

Thanks,
Todd

serdar uzun wrote:
> Hi,
> 
> My Snort alerts many times with "smtp: Attempted header name buffer
> overflow".
> Then I cleared the line "max_header_line_len .." in snort.conf. But it
> has been continueing with same alert. What may be the problem?
> 
> ------------------------------------------------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo!
> Search.
> <http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
>  
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic