Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] SID: 8440

from [Patrik Israelsson] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] SID: 8440
Date: Tue, 24 Apr 2007 18:30:48 +0200 
On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
[...]

I'm trying to understand *why* what appear to be legitimate users checking
email is tripping this alert.  Is it badly configured clients?  Unpatched
clients?  Badly designed clients that ignore the protocol?

The bottom line is, why are our users' email clients routinely trying to
overflow a buffer?


For what it's worth, I've deactivated this sig since long since it was giving 
way too many false positives. We run NIDS services for a whole bunch of 
companies and this sig has triggered massively on our sensors in pretty much 
every network we've connected them to. So I'm fairly confident that what 
you're seeing is not clients trying to exploit a vulnerability, rather they 
are just going about their usual business and this Snort sig is interpreting 
it incorrectly.

Regards,
Patrik

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] SID: 8440, Nigel Houghton
Next by Date:  Re: [Snort-sigs] SID: 8440, Paul Schmehl
Previous by Thread:  Re: [Snort-sigs] SID: 8440, Paul Schmehl
Next by Thread:  Re: [Snort-sigs] SID: 8440, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]