Re: [Snort-users] max_header_line_len

This is a discussion on Re: [Snort-users] max_header_line_len within the Snort forums, part of the System Security and Security Related category; Hi Serdar, The header name buffer overflow looks for a header name > 64 characters. Header names are taken to ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] max_header_line_len

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-27-2008
Todd Wease
 
Posts: n/a
Default Re: [Snort-users] max_header_line_len
Hi Serdar,

The header name buffer overflow looks for a header name > 64 characters.
Header names are taken to be the tags in the data header, e.g.

Subject:
Return-Path:
Received:
etc.

If the number of characters before the ":" is more than 64 characters
the smtp preprocessor alerts. The max_header_line_len has nothing to do
with this - it looks for the length of the entire line.

Is your network asynchronous? Are you dropping packets? Can you
provide a pcap that generates the alert (send to bugs@snort.org)?

Thanks,
Todd

serdar uzun wrote:
> Hi,
>
> My Snort alerts many times with "smtp: Attempted header name buffer
> overflow".
> Then I cleared the line "max_header_line_len .." in snort.conf. But it
> has been continueing with same alert. What may be the problem?
>
> ------------------------------------------------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo!
> Search.
> <http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216...et/marketplace
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216...et/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:42 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0