Security Incidents: Re: Real-world attacks on sendmail CA-2003-07 seen

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Real-world attacks on sendmail CA-2003-07 seen

From: Bennett Todd <bet () rahul net>
Date: Mon, 10 Mar 2003 13:47:10 -0500

2003-03-10T13:22:05 Barry Kokotailo:

Is there a snort signature out for this as of yet?


Yes, in the latest signature set includes, at the end of smtp.rules:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; 
content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"("; distance:1; 
content:")"; distance:1; reference:cve,CAN-2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; 
classtype:attempted-admin; sid:2087; rev:2;)

It false-positives pretty easily, but does seem to catch the
currently-discussed attacks.

-Bennett

Attachment: _bin
Description:

By Date By Thread

Current thread:

Re: Real-world attacks on sendmail CA-2003-07 seen, (continued)
- Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
- RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen james (Mar 10)