--On Tuesday, April 24, 2007 18:30:48 +0200 Patrik Israelsson
<patrik.israelsson@sentor.se> wrote:
On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
[...]
I'm trying to understand *why* what appear to be legitimate users
checking email is tripping this alert. Is it badly configured clients?
Unpatched clients? Badly designed clients that ignore the protocol?
The bottom line is, why are our users' email clients routinely trying to
overflow a buffer?
For what it's worth, I've deactivated this sig since long since it was
giving way too many false positives. We run NIDS services for a whole
bunch of companies and this sig has triggered massively on our sensors
in pretty much every network we've connected them to. So I'm fairly
confident that what you're seeing is not clients trying to exploit a
vulnerability, rather they are just going about their usual business and
this Snort sig is interpreting it incorrectly.
The sig is doing precisely what it's supposed to be doing. The question
is, is what it's being asked to do correct? And if so, why are clients
routinely trying to overflow a buffer? Is it a massive misinterpretation
of the protocol? Is the sig written incorrectly?
I'm hesitant to disable alerts simply because they're noisy. I prefer to
know why they're noisy and correct the problem.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7sahSy5szeav.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
