Re: SMTP PreProc Woes

Bamm,

It's hard to know what is happening without seeing the actual traffic 
that is being alerted on,
but you can experiment with the different "alt_max_command_line_len" 
options; either deleting
them or increasing the length, and seeing if you still get the alerts.  
Once you've narrowed it down
to a specific command, you can decide what to do about that specific 
alert without turning off
all alerts.  I hope this helps.

-Andy

Bamm Visscher wrote:
> FYI: I seem to be getting a lot of false "smtp: Attempted specific
> command buffer overflow" alerts when using the libsf_smtp_preproc in
> snort 2.6.0.  I am using the std config options.
>
> preprocessor smtp: \
>   ports { 25 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> For now I've added no_alerts to my config. If you need any
> information, please let me know.
>
> Bammkkkk
>
>
>   


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642