On 4/19/2013 03:37, Phil Daws wrote:
> Still seeing a huge amount of these and the payload does not appear to be over the threshold. How would one best analyze why this is happening ?
one would need to analyze the pcap of the session... either the pcap that snort
has saved or a pcap made by another tool that has grabbed the entire session...
one would have to look at each of the bytes in the packet and ensure that they
are accurate for their meaning and use...
consider if the packet contains a command length byte that denotes a length of
513 bytes... your max command length is 512 so there's a trigger...
consider also that a possible command length byte may indicate 30 characters but
there are actually 31+ characters... that would be another trigger...
i don't know if there is a command length byte or not... you would have to
determine that by looking at the packets and comparing them to the RFCs as part
of your analysis... the above are examples of the depth you will need to
check... yes, you may be down to the level of counting grains of sand on the
beach but how else are you going to ensure and verify that there's a stable
foundation for the building when your tools are telling there isn't such and you
are not sure if you should believe them or not? ;)
FWIW1: in the sample packet bytes you originally gave, you didn't include all of
the bytes of the packet so there's not enough information available to determine
if there's a length byte indicating one length while the packet actually
contains more...
FWIW2: the comment about a corporate smtp mailer is misdirected or misguided...
i do not believe it has anything to do with your actual problem in this situation...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.