Home page logo

snort logo Snort mailing list archives

Re: smtp: Attempted command buffer overflow
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 19 Apr 2013 05:21:16 -0400

On 4/19/2013 03:37, Phil Daws wrote:
Still seeing a huge amount of these and the payload does not appear to be over the threshold.  How would one best 
analyze why this is happening ?

one would need to analyze the pcap of the session... either the pcap that snort 
has saved or a pcap made by another tool that has grabbed the entire session... 
one would have to look at each of the bytes in the packet and ensure that they 
are accurate for their meaning and use...

consider if the packet contains a command length byte that denotes a length of 
513 bytes... your max command length is 512 so there's a trigger...

consider also that a possible command length byte may indicate 30 characters but 
there are actually 31+ characters... that would be another trigger...

i don't know if there is a command length byte or not... you would have to 
determine that by looking at the packets and comparing them to the RFCs as part 
of your analysis... the above are examples of the depth you will need to 
check... yes, you may be down to the level of counting grains of sand on the 
beach but how else are you going to ensure and verify that there's a stable 
foundation for the building when your tools are telling there isn't such and you 
are not sure if you should believe them or not? ;)

FWIW1: in the sample packet bytes you originally gave, you didn't include all of 
the bytes of the packet so there's not enough information available to determine 
if there's a length byte indicating one length while the packet actually 
contains more...

FWIW2: the comment about a corporate smtp mailer is misdirected or misguided... 
i do not believe it has anything to do with your actual problem in this situation...


----- Original Message -----
From: "Phil Daws"<uxbod () splatnix net>
To: snort-users () lists sourceforge net
Sent: Wednesday, 17 April, 2013 1:38:06 PM
Subject: Re: [Snort-users] smtp: Attempted command buffer overflow


thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of 
bytes in the HELO/EHLO line was>  512 as defined by :

max_command_line_len 512

in the preprocessor section of snort.conf.

Am I wrong in my understanding ?


----- Original Message -----
From: "Manuel Garcia-Zamora"<zamoram () uk innovation-group com>
To: "Phil Daws"<uxbod () splatnix net>
Sent: Wednesday, 17 April, 2013 9:33:57 AM
Subject: RE: smtp: Attempted command buffer overflow

This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email 
servers in the configuration file therefore this is not an authorized email relay server to connect by smtp.

You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the 
this alert by source IP



-----Original Message-----
From: Phil Daws [mailto:uxbod () splatnix net]
Sent: 17 April 2013 09:07
To: snort-users () lists sourceforge net
Subject: [Snort-users] smtp: Attempted command buffer overflow


have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. 
Looking at the payload data it shows:

0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net
000001A: 0d 0a ..

this to an untrained eye looks okay so why would it be tripping the test ?


NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]