Re: Real-world attacks on sendmail CA-2003-07 seen

From: Bennett Todd (betat_private)
Date: Mon Mar 10 2003 - 10:47:10 PST

Next message: Danny: "RE: New virus outbreak."

Previous message: Harlan Carvey: "Re: Solved !! "Girlnextdoor_" TCP Ports 1025/1028"
In reply to: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2003-03-10T13:22:05 Barry Kokotailo:
> Is there a snort signature out for this as of yet?

Yes, in the latest signature set includes, at the end of smtp.rules:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1; content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

It false-positives pretty easily, but does seem to catch the
currently-discussed attacks.

-Bennett

application/pgp-signature attachment: stored

Next message: Danny: "RE: New virus outbreak."
Previous message: Harlan Carvey: "Re: Solved !! "Girlnextdoor_" TCP Ports 1025/1028"
In reply to: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 12:09:06 PST