Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt
Date: Thu, 25 Nov 2004 10:35:09 +1300 
I am seeing lots of false +ves like this one for this rule where snort
finds "mail from" in the body of the email.  Is there some way that the
detect could be restricted to the headers?

Russell

META
--------
SID     CID     TimeStamp               Signature
5       257756  2004-11-24 10:38:37     SMTP MAIL FROM overflow attempt
Sig ID
2590

Sensor Hostname                         Sensor Interface
hihi    1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.164.14.246  130.216.190.14  4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1420    55679   0       0       103     41579

Resolved Source
mailserv99-us.natinst.com

Resolved Dest
mailhost.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
2777            25              1272858649      1689520177
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               16      65304   36410           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X                                       

DATA
--------
6F753D0D0A7273652043    ou=..rse C
616C656E6461722C2070    alendar, p
6C656173652076697369    lease visi
743A0D0A687474703A2F    t:..http:/
2F6469676974616C2E6E    /digital.n
692E636F6D2F65787072    i.com/expr
6573732E6E73662F6279    ess.nsf/by
636F64652F6578723574    code/exr5t
6E0D0A0D0A546F207265    n....To re
67697374657220666F72    gister for
20737065636966696320     specific 
636C61737365732C2064    classes, d
6F776E6C6F616420636F    ownload co
75727365206465736372    urse descr
697074696F6E732C206F    iptions, o
72207669657720707269    r view pri
3D0D0A63696E6720696E    =..cing in
666F726D6174696F6E20    formation 
63616C6C202838303029    call (800)
203438382D383636322C     488-8662,
206F722076697369743A     or visit:
0D0A687474703A2F2F64    ..http://d
69676974616C2E6E692E    igital.ni.
636F6D2F657870726573    com/expres
732E6E73662F6279636F    s.nsf/byco
64652F6578717362740D    de/exqsbt.
0A0D0A4A616E2032342D    ...Jan 24-
32363A204C6162564945    26: LabVIE
57204261736963732049    W Basics I
3A20496E74726F647563    : Introduc
74696F6E0D0A68747470    tion..http
3A2F2F6469676974616C    ://digital
2E6E692E636F6D2F6578    .ni.com/ex
70726573732E6E73662F    press.nsf/
6279636F64652F657877    bycode/exw
35657A0D0A0D0A4A616E    5ez....Jan
2032372D32383A204C61     27-28: La
62564945572042617369    bVIEW Basi
63732049493A20446576    cs II: Dev
656C6F706D656E740D0A    elopment..
687474703A2F2F646967    http://dig
6974616C2E6E692E636F    ital.ni.co
6D2F657870726573732E    m/express.
6E73662F6279636F6465    nsf/bycode
2F6578646639750D0A0D    /exdf9u...
0A0D0A41636365737320    ...Access 
4E4920496E7374727563    NI Instruc
746F722D4C656420436F    tor-Led Co
75727365732061742079    urses at y
6F7572204465736B746F    our Deskto
70210D0A0D0A55736520    p!....Use 
6F7572206E657720696E    our new in
7374727563746F722D6C    structor-l
6564206F6E6C696E6520    ed online 
636F757273657320746F    courses to
20696E63726561736520     increase 
796F75722070726F6475    your produ
63746976697479207175    ctivity qu
693D0D0A636B6C792061    i=..ckly a
6E642065666665637469    nd effecti
76656C79207769746820    vely with 
4E492070726F64756374    NI product
7320776974686F757420    s without 
6C656176696E6720796F    leaving yo
7572206465736B212043    ur desk! C
6F6D62696E696E67203D    ombining =
0D0A696E746572616374    ..interact
697665206C6561726E69    ive learni
6E6720746563686E6F6C    ng technol
6F67792064656C697665    ogy delive
726564206F7665722074    red over t
686520496E7465726E65    he Interne
742077697468206C6976    t with liv
6520696E7374723D0D0A    e instr=..
756374696F6E2C207468    uction, th
65736520696E73747275    ese instru
63746F722D6C6564206F    ctor-led o
6E6C696E6520636F7572    nline cour
7365732064656C697665    ses delive
72206D616E79206F6620    r many of 
7468652062656E656669    the benefi
7473206F663D0D0A2069    ts of=.. i
6E7374727563746F722D    nstructor-
6C656420636C61737372    led classr
6F6F6D20636F75727365    oom course
73207768696C65207265    s while re
647563696E6720796F75    ducing you
7220747261696E696E67    r training
20616E6420646576656C     and devel
6F706D3D0D0A656E7420    opm=..ent 
636F7374732E20466F72    costs. For
206D6F726520696E666F     more info
726D6174696F6E2C2063    rmation, c
6F757273652073636865    ourse sche
64756C657320616E6420    dules and 
6F75746C696E65732C20    outlines, 
6F7220746F2072656769    or to regi
733D0D0A7465722C2076    s=..ter, v
697369743A0D0A687474    isit:..htt
703A2F2F7777772E6E69    p://www.ni
2E636F6D2F747261696E    .com/train
696E670D0A0D0A446563    ing....Dec
20373A204C6162564945     7: LabVIE
57204D616368696E6520    W Machine 
566973696F6E20616E64    Vision and
20496D6167652050726F     Image Pro
63657373696E670D0A68    cessing..h
7474703A2F2F64696769    ttp://digi
74616C2E6E692E636F6D    tal.ni.com
2F657870726573732E6E    /express.n
73662F6279636F64652F    sf/bycode/
65783935706753696E63    ex95pgSinc
6572656C792C0D0A0D0A    erely,....
4A65616E204272756E65    Jean Brune
720D0A4E6174696F6E61    r..Nationa
6C20496E737472756D65    l Instrume
6E74730D0A2835313229    nts..(512)
203638332D393336352D     683-9365-
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D2D2D2D2D2D2D2D2D    ----------
3D0D0A2D2D2D2D2D2D2D    =..-------
2D2D2D2D2D2D2D2D2D2D    ----------
2D2D0D0A436F70797269    --..Copyri
6768742032303034204E    ght 2004 N
6174696F6E616C20496E    ational In
737472756D656E747320    struments 
436F72706F726174696F    Corporatio
6E2E20416C6C20726967    n. All rig
68747320726573657276    hts reserv
65642E3D32300D0A4966    ed.=20..If
20796F7520646F206E6F     you do no
74207769736820746F20    t wish to 
7265636569766520652D    receive e-
6D61696C2066726F6D20    mail from 

DATA
--------
ou=..rse Calendar, please visit:..http://digital.ni.com/expr
ess.nsf/bycode/exr5tn....To register for specific classes, d
ownload course descriptions, or view pri=..cing information 
call (800) 488-8662, or visit:..http://digital.ni.com/expres
s.nsf/bycode/exqsbt....Jan 24-26: LabVIEW Basics I: Introduc
tion..http://digital.ni.com/express.nsf/bycode/exw5ez....Jan
 27-28: LabVIEW Basics II: Development..http://digital.ni.co
m/express.nsf/bycode/exdf9u......Access NI Instructor-Led Co
urses at your Desktop!....Use our new instructor-led online 
courses to increase your productivity qui=..ckly and effecti
vely with NI products without leaving your desk! Combining =
..interactive learning technology delivered over the Interne
t with live instr=..uction, these instructor-led online cour
ses deliver many of the benefits of=.. instructor-led classr
oom courses while reducing your training and developm=..ent 
costs. For more information, course schedules and outlines, 
or to regis=..ter, visit:..http://www.ni.com/training....Dec
 7: LabVIEW Machine Vision and Image Processing..http://digi
tal.ni.com/express.nsf/bycode/ex95pgSincerely,....Jean Brune
r..National Instruments..(512) 683-9365---------------------
----------------------------------------=..-----------------
--..Copyright 2004 National Instruments Corporation. All rig
hts reserved.=20..If you do not wish to receive e-mail from 
-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-sigs] Strange behavior with http_inspect_server, Joe Patterson
Next by Date:  [Snort-sigs] Hi!, roesch
Previous by Thread:  [Snort-sigs] netbios rules, Tim Slighter
Next by Thread:  Re: [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt, Alex Kirk
Indexes:  [Date] [Thread] [Top] [All Lists]