This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ID 11669 False Positive or not?

For the past week or so, been getting frequent alerts for SPECIFIC-THREATS Eudora 250 command response buffer overflow.

The rule is:
flow:established, to_client
content:"250"
pcre:"/^250.*[^\x20-\x7E\t\x0D\x0A]/sm"
classtype:attempted-user

The alerts show that the messages which trigger the alert are flowing from my astaro box to my internal mail server which is not particularly helpful in finding the specific messages.

Is this alert saying that somebody is sending messages to one of my users with a version of Eudora that is missing a patch? Or is this a false positive that doesn't need to be worried about? Anybody else been getting any of these recently?

This thread was automatically locked due to age.

Parents

0 BrucekConvergent over 18 years ago

Likely to be a false positive... I've noted this event on several customer firewalls, and have disabled it (none of them use Eudora)... pretty darn sure these were false positives as the IPS reported the source as Astaro's SMTP proxy with the destination being their internal Exchange Server. THis appears to be a rule that is easy to trigger with legit traffic.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 18 years ago

Likely to be a false positive... I've noted this event on several customer firewalls, and have disabled it (none of them use Eudora)... pretty darn sure these were false positives as the IPS reported the source as Astaro's SMTP proxy with the destination being their internal Exchange Server. THis appears to be a rule that is easy to trigger with legit traffic.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Scott_Klassen over 18 years ago in reply to BrucekConvergent

Thanks for the affirmation. I noticed that this was an "official" snort.org rule addition and not something Astaro specific. If I get a few spare minutes tomorrow, I might try to try their forums to see what other snort IPS users are seeing with this rule. If there's anything interesting, I'll post back here.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel