Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt

from [Alex Kirk] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt
Date: Mon, 29 Nov 2004 09:02:50 -0500 
Russell,

As nnposter has correctly pointed out, it is difficult to tell whether one is in the header or the body of an e-mail. There is some work going on here at Sourcefire to fix this problem, though given how busy our development staff is I couldn't put any firm time frame on when something would be released. Suffice it to say that we're aware of the problem and would like to have it go away. :-)

Meanwhile I'm going to take a look at the proposed updates to the rule that nnposter has sent in and see if it makes sense to release an updated rule.

Alex Kirk
Research Analyst
Sourcefire, Inc.

I am seeing lots of false +ves like this one for this rule where snort
finds "mail from" in the body of the email.  Is there some way that the
detect could be restricted to the headers?

Russell

META
--------
SID     CID     TimeStamp               Signature
5       257756  2004-11-24 10:38:37     SMTP MAIL FROM overflow attempt
Sig ID
2590

Sensor Hostname                         Sensor Interface
hihi    1

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.164.14.246  130.216.190.14  4       5
TOS     length  ID      flags   offset  TTL     chksum
0       1420    55679   0       0       103     41579

Resolved Source
mailserv99-us.natinst.com

Resolved Dest
mailhost.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
2777            25              1272858649      1689520177
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               16      65304   36410           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X

DATA
--------
6F753D0D0A7273652043 ou=..rse C
616C656E6461722C2070 alendar, p
6C656173652076697369 lease visi
743A0D0A687474703A2F t:..http:/
2F6469676974616C2E6E /digital.n
692E636F6D2F65787072 i.com/expr
6573732E6E73662F6279 ess.nsf/by
636F64652F6578723574 code/exr5t
6E0D0A0D0A546F207265 n....To re
67697374657220666F72 gister for
20737065636966696320 specific 636C61737365732C2064 classes, d
6F776E6C6F616420636F ownload co
75727365206465736372 urse descr
697074696F6E732C206F iptions, o
72207669657720707269 r view pri
3D0D0A63696E6720696E =..cing in
666F726D6174696F6E20 formation 63616C6C202838303029 call (800)
203438382D383636322C 488-8662,
206F722076697369743A or visit:
0D0A687474703A2F2F64 ..http://d
69676974616C2E6E692E igital.ni.
636F6D2F657870726573 com/expres
732E6E73662F6279636F s.nsf/byco
64652F6578717362740D de/exqsbt.
0A0D0A4A616E2032342D ...Jan 24-
32363A204C6162564945 26: LabVIE
57204261736963732049 W Basics I
3A20496E74726F647563 : Introduc
74696F6E0D0A68747470 tion..http
3A2F2F6469676974616C ://digital
2E6E692E636F6D2F6578 .ni.com/ex
70726573732E6E73662F press.nsf/
6279636F64652F657877 bycode/exw
35657A0D0A0D0A4A616E 5ez....Jan
2032372D32383A204C61 27-28: La
62564945572042617369 bVIEW Basi
63732049493A20446576 cs II: Dev
656C6F706D656E740D0A elopment..
687474703A2F2F646967 http://dig
6974616C2E6E692E636F ital.ni.co
6D2F657870726573732E m/express.
6E73662F6279636F6465 nsf/bycode
2F6578646639750D0A0D /exdf9u...
0A0D0A41636365737320 ...Access 4E4920496E7374727563 NI Instruc
746F722D4C656420436F tor-Led Co
75727365732061742079 urses at y
6F7572204465736B746F our Deskto
70210D0A0D0A55736520 p!....Use 6F7572206E657720696E our new in
7374727563746F722D6C structor-l
6564206F6E6C696E6520 ed online 636F757273657320746F courses to
20696E63726561736520 increase 796F75722070726F6475 your produ
63746976697479207175 ctivity qu
693D0D0A636B6C792061 i=..ckly a
6E642065666665637469 nd effecti
76656C79207769746820 vely with 4E492070726F64756374 NI product
7320776974686F757420 s without 6C656176696E6720796F leaving yo
7572206465736B212043 ur desk! C
6F6D62696E696E67203D ombining =
0D0A696E746572616374 ..interact
697665206C6561726E69 ive learni
6E6720746563686E6F6C ng technol
6F67792064656C697665 ogy delive
726564206F7665722074 red over t
686520496E7465726E65 he Interne
742077697468206C6976 t with liv
6520696E7374723D0D0A e instr=..
756374696F6E2C207468 uction, th
65736520696E73747275 ese instru
63746F722D6C6564206F ctor-led o
6E6C696E6520636F7572 nline cour
7365732064656C697665 ses delive
72206D616E79206F6620 r many of 7468652062656E656669 the benefi
7473206F663D0D0A2069 ts of=.. i
6E7374727563746F722D nstructor-
6C656420636C61737372 led classr
6F6F6D20636F75727365 oom course
73207768696C65207265 s while re
647563696E6720796F75 ducing you
7220747261696E696E67 r training
20616E6420646576656C and devel
6F706D3D0D0A656E7420 opm=..ent 636F7374732E20466F72 costs. For
206D6F726520696E666F more info
726D6174696F6E2C2063 rmation, c
6F757273652073636865 ourse sche
64756C657320616E6420 dules and 6F75746C696E65732C20 outlines, 6F7220746F2072656769 or to regi
733D0D0A7465722C2076 s=..ter, v
697369743A0D0A687474 isit:..htt
703A2F2F7777772E6E69 p://www.ni
2E636F6D2F747261696E .com/train
696E670D0A0D0A446563 ing....Dec
20373A204C6162564945 7: LabVIE
57204D616368696E6520 W Machine 566973696F6E20616E64 Vision and
20496D6167652050726F Image Pro
63657373696E670D0A68 cessing..h
7474703A2F2F64696769 ttp://digi
74616C2E6E692E636F6D tal.ni.com
2F657870726573732E6E /express.n
73662F6279636F64652F sf/bycode/
65783935706753696E63 ex95pgSinc
6572656C792C0D0A0D0A erely,....
4A65616E204272756E65 Jean Brune
720D0A4E6174696F6E61 r..Nationa
6C20496E737472756D65 l Instrume
6E74730D0A2835313229 nts..(512)
203638332D393336352D 683-9365-
2D2D2D2D2D2D2D2D2D2D ----------
2D2D2D2D2D2D2D2D2D2D ----------
2D2D2D2D2D2D2D2D2D2D ----------
2D2D2D2D2D2D2D2D2D2D ----------
2D2D2D2D2D2D2D2D2D2D ----------
2D2D2D2D2D2D2D2D2D2D ----------
3D0D0A2D2D2D2D2D2D2D =..-------
2D2D2D2D2D2D2D2D2D2D ----------
2D2D0D0A436F70797269 --..Copyri
6768742032303034204E ght 2004 N
6174696F6E616C20496E ational In
737472756D656E747320 struments 436F72706F726174696F Corporatio
6E2E20416C6C20726967 n. All rig
68747320726573657276 hts reserv
65642E3D32300D0A4966 ed.=20..If
20796F7520646F206E6F you do no
74207769736820746F20 t wish to 7265636569766520652D receive e-
6D61696C2066726F6D20 mail from

DATA
--------
ou=..rse Calendar, please visit:..http://digital.ni.com/expr
ess.nsf/bycode/exr5tn....To register for specific classes, d
ownload course descriptions, or view pri=..cing information call (800) 488-8662, or visit:..http://digital.ni.com/expres
s.nsf/bycode/exqsbt....Jan 24-26: LabVIEW Basics I: Introduc
tion..http://digital.ni.com/express.nsf/bycode/exw5ez....Jan
27-28: LabVIEW Basics II: Development..http://digital.ni.co
m/express.nsf/bycode/exdf9u......Access NI Instructor-Led Co
urses at your Desktop!....Use our new instructor-led online courses to increase your productivity qui=..ckly and effecti
vely with NI products without leaving your desk! Combining =
..interactive learning technology delivered over the Interne
t with live instr=..uction, these instructor-led online cour
ses deliver many of the benefits of=.. instructor-led classr
oom courses while reducing your training and developm=..ent costs. For more information, course schedules and outlines, or to regis=..ter, visit:..http://www.ni.com/training....Dec
7: LabVIEW Machine Vision and Image Processing..http://digi
tal.ni.com/express.nsf/bycode/ex95pgSincerely,....Jean Brune
r..National Instruments..(512) 683-9365---------------------
----------------------------------------=..-----------------
--..Copyright 2004 National Instruments Corporation. All rig
hts reserved.=20..If you do not wish to receive e-mail from




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] (no subject), Brian caswell
Next by Date:  [Snort-sigs] Snortcenter and updating rules, John Hally
Previous by Thread:  [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt, Russell Fulton
Next by Thread:  [Snort-sigs] Flase +ves for SID 2590 SMTP MAIL FROM overflow attempt, nnposter
Indexes:  [Date] [Thread] [Top] [All Lists]