Re: Real-world attacks on sendmail CA-2003-07 seen

From: Bennett Todd (bet@rahul.net)
Date: 03/10/03

Next message: Harlan Carvey: "Re: Solved !! "Girlnextdoor_" TCP Ports 1025/1028"

Previous message: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
In reply to: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Mar 2003 13:47:10 -0500
From: Bennett Todd <bet@rahul.net>
To: Barry Kokotailo <barry.kokotailo@epsb.ca>

2003-03-10T13:22:05 Barry Kokotailo:
> Is there a snort signature out for this as of yet?

Yes, in the latest signature set includes, at the end of smtp.rules:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1; content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

It false-positives pretty easily, but does seem to catch the
currently-discussed attacks.

-Bennett

application/pgp-signature attachment: stored

Next message: Harlan Carvey: "Re: Solved !! "Girlnextdoor_" TCP Ports 1025/1028"

Previous message: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
In reply to: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]