Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
1
Replies

equivalent cisco "SMTP HELO overflow attempt" signature

darin.marais
Level 4
Level 4

‎05-15-2004 09:13 AM - edited ‎03-09-2019 07:23 AM

I have two questions

1. Does Cisco have an equivalent for the following snort signature?

SID 1549

Message SMTP HELO overflow attempt

Signature alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:13;)

This event is generated when an attempt is made to overflow a buffer in an SMTP server via a long SMTP HELO command.

2. Are there any signatures to detect the WALLON worm.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A

I am aware of the mhtml vulnerability signature but I am looking for some more specific signatures to detect the exploit

Can anybody help??

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎05-18-2004 12:42 PM

We do not have a signature for the first question. The Bugtraq references are either really old (1999) and / or obscure mail servers that are probably not widely used. This is why signatures were not written originally. You can easily create a custom with the STRING.TCP engine on port 25. The RegexString would be

[Hh][Ee][Ll][Oo][ \t].*[\r\n]

with a MinMatchLength of 500.

I will add the WALLON.A worm for consideration for the S93 signature update.

0 Helpful
Customers Also Viewed These Support Documents