Is the email spam or did is it from a known good source? On Nov 20, 2007 10:59 AM, Albert R. Campa <[EMAIL PROTECTED]> wrote: > I dont know that it is an actual email, but this is 1 of 28 lines that > I took from a packet capture in the smtp portion of the packet > > Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n > > some lines are longer some shorter but 28 of them. I guess this is > what is causing the event to trigger. > > > > On Nov 20, 2007 9:43 AM, David Maynor <[EMAIL PROTECTED]> wrote: > > What is contained in that email? Specifically that check is looking > > for strings that could be used as the payload in a buffer overflow. > > There is always a chance of positives but I would love to see what > > kinda of legit email contains characters that could be translated to > > machine code in a useful fashion. > > > > > > On Nov 19, 2007 5:28 PM, Albert R. Campa <[EMAIL PROTECTED]> wrote: > > > Hi guys, > > > > > > I am getting spurts of events trigerred by ISS Proventia, with the > > > following vuln description: > > > Vulnerability description > > > In buffer overflow attacks, an attacker supplies data that is longer > > > than the available space to hold it. For stack allocated variables, > > > this usually means the attacker can corrupt other variables and > > > eventually modify the code that is executed when the function in which > > > the overflow occurs ends. > > > > > > http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm > > > > > > They are from a trusted mail server so its not being blocked. > > > > > > Do you think this is just a true false positive or is this trusted > > > mail server sending bad packets? > > > > > > ------------------------------------------------------------------------ > > > Test Your IDS > > > > > > Is your IDS deployed correctly? > > > Find out quickly and easily by testing it > > > with real-world attacks from CORE IMPACT. > > > Go to > > > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > > to learn more. > > > ------------------------------------------------------------------------ > > > > > > > > >
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
