Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New sendmail exploit signatures

Anyone have a signature for the new remote sendmail exploit?

  • Other Security Subjects

Re: New sendmail exploit signatures

We are currently building the S42 signature update which will contain signature 3115 to deal with this worm. It will hopefully be done this evening. I will post here again when the package is ready.


Re: New sendmail exploit signatures

The S41 package is available for early use at:

Signature 3115 covers the Sendmail vulnerability. Mgmt. packages will follow shortly.

New Member

Re: New sendmail exploit signatures

Is the string available anywhere else? I am having problems with this link.


Re: New sendmail exploit signatures

Try this instead...

First, goto the following URL:

Once there, select either the .bin or .zip file, right-click it and select "Save as..." and download it as you see fit.

I suspect that, like myself, the file is opening in your browser as ASCII text if you follow the link to IDS-sig-3.1-3-S41.bin directly...

Hope this helps out!

New Member

Re: New sendmail exploit signatures

This sig is false alarming on valid exchange server email traffic, anyone else experiencing this?



New Member

Re: New sendmail exploit signatures

Why is this triggering the alarm? (names changed to protect the innocent)


TIME UTC: 2003/03/05 21:16:13 Local: 2003/03/05 15:16:13

SIGID: 3115 "Sendmail Data Header Overflow" LEVEL: 5



MSG: From: user@host...aaaa...

CONTEXT S->D: 600 (CST)..Received: from unknown(XXX.XXX.XXX.XXX) by via csmap (2.0) srcAAAaeaioX; Wed, 5 Mar 03 15:15:58 -0600..

Message-Id: <>..From: "...

¢...." <>.

New Member

Re: New sendmail exploit signatures

Yes..we are seeing false positives also at SBC DataComm.

New Member

Re: New sendmail exploit signatures

The overflow is triggerd by a large number of <> bracket pairs. I think following custom signature will do the trick:

Current Signature: Engine STRING.TCP SIGID 20020

SigName: Sendmail exploit


0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [\<\>]{100}

12 - ResetAfterIdle = 15

13 - ServicePorts = 25

14 - SigComment =

15 - SigName = Sendmail exploit

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue


Note it could also be triggerd by multiple single brackets <<< or >>>, but packetd was not working with (\<\>){100}


Re: New sendmail exploit signatures

Working with a customer, I have identified at least one false positive in signature 3115. A colon needs to be added to the regex after the To, From, and CC patterns. This will be fixed in sig update S42 for 3.1 sensors. If any one is willing to send traffic samples, you can send them to, and I'll look at them for you.