Snort coverage for the Exim remote root vulnerability
The Sourcefire VRT has published a blog post that describes how Snort detects the Exim root vulnerability.
Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we’ve confirmed that SID 124:2:1 does the job nicely
No configuration is necessary; the default settings for the SMTP preprocessor will work here. For anyone who may have tweaked their config, ensure that the meax_header_line_len is set to 2000 bytes or less (a reasonable value for all but the most unique of environments; the default value is 1000 bytes).