Snort smtp rule
-
Hi,
I am having lot of snort alerts: (smtp) Attempted data header buffer overflow: xxx chars
how to disable this rule? I have tried to comment it in the snort.conf file but the changes did not get saved.
maybe this article can help. http://lists.virus.org/snort-users-0809/msg00002.htmlKindly assist.
-
Hi,
I am having lot of snort alerts: (smtp) Attempted data header buffer overflow: xxx chars
how to disable this rule? I have tried to comment it in the snort.conf file but the changes did not get saved.
maybe this article can help. http://lists.virus.org/snort-users-0809/msg00002.htmlKindly assist.
Perfect example on how to use threshold.conf.
Can you please post the alert you get.
James
-
Hi,
I am receiving the following alert:
[ ** ] [ 124:2:1 ] (smtp) Attempted data header buffer overflow: 1014 chars [ ** ]
[ Priority: 3 ]Regards,
Sam -
Hi,
I am receiving the following alert:
[ ** ] [ 124:2:1 ] (smtp) Attempted data header buffer overflow: 1014 chars [ ** ]
[ Priority: 3 ]Regards,
SamIf your running Snort 2.8.4.1 pkg v. 1.4 go to the Threshold tab and enter this to suppress the alert;
suppress gen_id 124, sig_id 2
or
Enter this to limit the alert to every 60 seconds.
threshold gen_id 124, sig_id 2, type limit, track by_src, count 1, seconds 60
James
-
Dear James,
What do you mean by suppress the alert?
does it mean that snort will no more block the hosts generating this alert? (this is what i need to do)
Thanks.
-
Dear James,
What do you mean by suppress the alert?
does it mean that snort will no more block the hosts generating this alert? (this is what i need to do)
Thanks.
Yes, by using suppress snort will not alert you and will not block any hosts.
James