Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] smtp: Attempted command buffer overflow

3 views
Skip to first unread message

Phil Daws

unread,
Apr 17, 2013, 4:06:43 AM4/17/13
to
Hello,

have recently installed Snort and am beginning to see a lot of alerts from the SMTP preprocessor for SID 124:1:1. Looking at the payload data it shows:

0000000: 45 48 4c 4f 20 6c 69 73 74 73 2e 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 EHLO.lists.sourceforge.net
000001A: 0d 0a ..

this to an untrained eye looks okay so why would it be tripping the test ?

Thanks.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Phil Daws

unread,
Apr 17, 2013, 8:38:06 AM4/17/13
to
Manuel,

thank you for the reply but I am at a loss as to what you mean ? I thought the rule was saying that the number of bytes in the HELO/EHLO line was > 512 as defined by :

max_command_line_len 512

in the preprocessor section of snort.conf.

Am I wrong in my understanding ?

Thanks.


----- Original Message -----
From: "Manuel Garcia-Zamora" <zam...@uk.innovation-group.com>
To: "Phil Daws" <ux...@splatnix.net>
Sent: Wednesday, 17 April, 2013 9:33:57 AM
Subject: RE: smtp: Attempted command buffer overflow

Phil
This probably is because that email server lists.sourceforge.net is not defined as corporate mail server in the email servers in the configuration file therefore this is not an authorized email relay server to connect by smtp.

You should not allow any outbound SMTP , if this is for a authorized source then you can create an exception to the this alert by source IP

Regards

Manuel
________________________________________________________________________
Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient at the email address to which it has been addressed.

This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it be copied in any way. If you have received this email in error, please forward a copy of this email to itsu...@uk.innovation-group.com and then delete it from your system.

The Innovation Group PLC: Registered in England 3256771
Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK
http://www.innovation-group.com

This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender accept any responsibility for computer viruses once this email has been transmitted.

Phil Daws

unread,
Apr 19, 2013, 3:37:43 AM4/19/13
to
Still seeing a huge amount of these and the payload does not appear to be over the threshold. How would one best analyze why this is happening ?

waldo kitty

unread,
Apr 19, 2013, 5:21:16 AM4/19/13
to
On 4/19/2013 03:37, Phil Daws wrote:
> Still seeing a huge amount of these and the payload does not appear to be over the threshold. How would one best analyze why this is happening ?

one would need to analyze the pcap of the session... either the pcap that snort
has saved or a pcap made by another tool that has grabbed the entire session...
one would have to look at each of the bytes in the packet and ensure that they
are accurate for their meaning and use...

consider if the packet contains a command length byte that denotes a length of
513 bytes... your max command length is 512 so there's a trigger...

consider also that a possible command length byte may indicate 30 characters but
there are actually 31+ characters... that would be another trigger...

i don't know if there is a command length byte or not... you would have to
determine that by looking at the packets and comparing them to the RFCs as part
of your analysis... the above are examples of the depth you will need to
check... yes, you may be down to the level of counting grains of sand on the
beach but how else are you going to ensure and verify that there's a stable
foundation for the building when your tools are telling there isn't such and you
are not sure if you should believe them or not? ;)

FWIW1: in the sample packet bytes you originally gave, you didn't include all of
the bytes of the packet so there's not enough information available to determine
if there's a length byte indicating one length while the packet actually
contains more...

FWIW2: the comment about a corporate smtp mailer is misdirected or misguided...
i do not believe it has anything to do with your actual problem in this situation...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.

Castle, Shane

unread,
Apr 19, 2013, 11:25:57 AM4/19/13
to
Every one of these I have ever investigated has turned out to be FP. I have a full NSM installation so I can examine the complete conversation. I have wound up suppressing the more chatty alerts in threshold.conf. I'm on the point of disabling the smtp preprocessor entirely but I keep hoping it's doing something useful.

The ones I am suppressing are 124:1, 124:7, and 124:10.

--
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Phil Daws [mailto:ux...@splatnix.net]
Sent: Friday, April 19, 2013 01:38
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] smtp: Attempted command buffer overflow

Still seeing a huge amount of these and the payload does not appear to be over the threshold. How would one best analyze why this is happening ?

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

________________________________________________________________________
Any opinions expressed in this email are those of the individual and not necessarily the company. The contents of this email and any attachments are confidential to The Innovation Group PLC and are solely for use by the intended recipient at the email address to which it has been addressed.

This email and any attachments may not be disclosed to or used by anyone other than the intended recipient, nor may it be copied in any way. If you have received this email in error, please forward a copy of this email to itsu...@uk.innovation-group.com and then delete it from your system.

The Innovation Group PLC: Registered in England 3256771
Registered Office: Yarmouth House 1300 Parkway Solent Business Park Whiteley Hampshire PO15 7AE UK
http://www.innovation-group.com

This email and any attachments has been swept for computer viruses. Neither The Innovation Group PLC nor the sender accept any responsibility for computer viruses once this email has been transmitted.

Phil Daws

unread,
Apr 19, 2013, 11:33:45 AM4/19/13
to
Hello Shane,

I am beginning to agree as its FP'ing Google, Sourceforge and many more WL sources. Am going to supress those as something is not right at all.

Bhagya Bantwal

unread,
Apr 19, 2013, 1:12:27 PM4/19/13
to
Phil,

This looks like a FP. Do you happen to have a pcap for this? 

I will file a bug to fix this.

Thanks!
-B
0 new messages