[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] max_header_line_len
From: Todd Wease <twease () sourcefire ! com>
Date: 2008-03-27 11:41:50
Message-ID: 47EB87FE.7080609 () sourcefire ! com
[Download RAW message or body]
Hi Serdar,
The header name buffer overflow looks for a header name > 64 characters.
Header names are taken to be the tags in the data header, e.g.
Subject:
Return-Path:
Received:
etc.
If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts. The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.
Is your network asynchronous? Are you dropping packets? Can you
provide a pcap that generates the alert (send to bugs@snort.org)?
Thanks,
Todd
serdar uzun wrote:
> Hi,
>
> My Snort alerts many times with "smtp: Attempted header name buffer
> overflow".
> Then I cleared the line "max_header_line_len .." in snort.conf. But it
> has been continueing with same alert. What may be the problem?
>
> ------------------------------------------------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo!
> Search.
> <http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic