Snort mailing list archives
Re: False positives with SMTP RCPT TO overflow rule
From: Chris Green <cmg () sourcefire com>
Date: Thu, 27 Jun 2002 15:33:33 -0400
Just as an FYI, these alerts are a bit more common than they used to be because of a change in stream reassembly. In snort 1.9 series, we've changed the dsize keyword to return 0 if its a rebuilt packet. Better analysis capabilities are in the works but this mitigates things a bit. Cheers, Chris -- Chris Green <cmg () sourcefire com> Don't use a big word where a diminutive one will suffice. ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Chris Green (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 27)
- Re: False positives with SMTP RCPT TO overflow rule Matt Kettler (Jun 25)
- <Possible follow-ups>
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Nels Lindquist (Jun 25)
- RE: False positives with SMTP RCPT TO overflow rule Slighter, Tim (Jun 26)