OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brian Caswell (bmcmitre.org)
Date: Fri Jun 08 2001 - 17:41:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Paulie wrote:
    > alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261
    > - SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: >500;
    > depth: 10;)
    >
    > So basically it alarms on any inbound smtp packet big enough and with the
    > ever so infrequent word HELP in it.

    Well, Any SMTP packet big enough that is larger than 500 that includes
    the word help in the first 10 characters of the packet.

    Both arachnids and the snort.org rulesets have had this rule modified
    for quite some time. Upgrade your ruleset.

    The current rule content/depth is content:"HELP "; depth:5;

    That should help cut down on the false positives. 

    -- 
Brian Caswell
The MITRE Corporation

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users