Hi,
I have been getting a lot of alerts from Sourcefire recently all of the same type. The originating IPs map to messagelabs servers and the target is our email server. Is anyone aware of what is causing this to trigger so often? Below is more detail, attached is the actual packet associated to the alert:
[124:1:2] smtp: Attempted command buffer overflow [Impact: Potentially Vulnerable] From "192.168.28.12" at Mon Apr 4 17:27:35 2016 UTC [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {tcp} 216.82.250.247:29127 (united states)->xxx.xxx.xxx.xxx:25 (unknown)
Frame 1: 1434 bytes on wire (1434 bytes captured (11472 bits)
WTAP_ENCAP 1
Arrival Time Apr 04, 2016 13:32:24.585398000
Time shift for this packet 0.000000000 seconds
Epoch Time 1459791144.585398000 seconds
Time delta from previous captured frame 0.000000000 seconds
Time delta from previous displayed frame 0.000000000 seconds
Time since reference or first frame 0.000000000 seconds
Frame Number 1
Frame Length 1434 bytes (11472 bits)
Capture Length 1434 bytes (11472 bits)
Frame is marked False
Frame is ignored False
Protocols in frame eth:ip:tcp:smtp
Ethernet II (Src: XX:XX:XX:XX:XX:XX, Dst: XX:XX:XX:XX:XX:XX)
Destination
Address: XX:XX:XX:XX:XX:XX
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source
Address: XX:XX:XX:XX:XX:XX
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type IP (0x0800)
Internet Protocol Version 4 (Src: 216.82.243.55, Dst: xxx.xxx.xxx.xxx)
Version 4
Header length 20 bytes
Differentiated Services Field
0100 10.. = Differentiated Services Codepoint: Assured Forwarding 21 (0x12)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length 1420
Identification 0x5a8f (23183)
Flags
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset 0
Time to live 53
Protocol TCP (6)
Header checksum
Good: True
Bad: False
Source 216.82.243.55
Destination xxx.xxx.xxx.xxx
Transmission Control Protocol (Src Port: 51758 (51758), Dst Port: 25 (25), Seq: 1, Ack: 1, Len: 1368)
Source port 51758 (51758)
Destination port 25 (25)
Stream index 0
Sequence number 1 (relative sequence number)
Next sequence number 1369 (relative sequence number)
Acknowledgment number 1 (relative ack number)
Header length 32 bytes
Flags
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value 37
Calculated window size 37
Window size scaling factor -1 (unknown)
Checksum
Good Checksum: False
Bad Checksum: False
Options
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 3663478221, TSecr 70721423
Kind: Timestamp (8)
Length: 10
Timestamp value: 3663478221
Timestamp echo reply: 70721423
Bytes in flight: 1368
Simple Mail Transfer Protocol
Command Line
Command: ^RA\313
Request parameter: \265\357U\370\370\033\212|\v\365
Command Line
Command: =g\017\301
Request parameter: r\347{\240\310\210\032\264\210\320\313\210@\301{\345'\344\366\364#j\031\2300\002;+\344^c&\304\242\265&)\024\346
Command: \324\332\266c
Request parameter [truncated]: \204N\366[\030Q\367\304\v!\271\313\023)0\314\204\361\201;\005\347c\322O|\373\220\370W\026U\307LvO\311\324\213:\331\355\256\257SI$\343\276\032\3425e\234\224m5\375p\362\307V\317\226\260WQ\312\311\004\277\357h\3
Command: \036\247q\330
Request parameter [truncated]: \v\222\2637E\261\367\021j\337\375\215\2373\237\276\315\377\031C\327\307z\256\376Q\235\333\362\363`\257}\2378\310\320\245\f\003\266c\313\307\364\321JQP\354\276\215\335\3655\002R\035\274\016\374(\252\215\365\36
Command Line
Command: y\342\346y
Request parameter: \226\353UW\273\323\336HoH\310b\020\232L;\v\322\v\265\330\2072\220\004\236\362
Command Line
Command: \206c9\210
Request parameter: \333\316\004_\206\017)\334\375\355\376\016{G$\333\177\033\235\330\333\237\330#?C\251\f\027cx\300pnJ\230\272\222#9B\301o\257\263&\034\366R\212\345\314\244\017b-
Command Line
Command: \205N\002r
Request parameter: \f\215\255=\367\236<\332
Command Line
Command: E_Ik
Command: \0331\252\242
Request parameter [truncated]: \262\035\032\234\333\226\037]\363\236\331\217\f]\340Z\037\252k\334\340\201io\276{\236H+\036H\255\303]\206\322\204\211\376\364\l\252\364\311|lOnB\215\a`?\245&\251\362\270\237\225\202g-\233p\215@6\254\t\311\256
Command Line
Command: \333\\304\324
Request parameter: \240\243\345g\370+\262\022\225\031hS]\315\373\322\001\233\243\201#\272\255\225u\377\203p\026eG\306\273\352I\350\234b\3176\226Q\313\252\201\002\2753\017
Command Line
Command: >\200\023\265
Request parameter: *}\342N\231;\365W\253\377\261\210\253\306\217\250\365\\3073e\263,Kj\223\300\323\356?\315j\313\026\226.\310\256\034\326}\207N\244\200\213\216\322\343O
Command Line
Command: \262\356\323\256
Request parameter: \274\001\366\235~S+\275\332\033B\267
Command: 7\020\0218
Request parameter [truncated]: \253\366\245RE\316\250\377\356S\320\200l?Z \317D5\257\363\275L5\250\002\270[\025\367H\\267&\362*\370\2311\324\334\251\355\303`\001\020\360\376\212p\250\320C