[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] False positive in 3065.1 (IMAP append literal overflow attempt)
From:       nnposter () users ! sourceforge ! net
Date:       2005-01-18 22:49:13
Message-ID: 3065.1.1 ()  () users ! sourceforge ! net
[Download RAW message or body]

The current version:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
(msg:"IMAP append literal overflow attempt"; flow:established,to_server; 
content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; 
byte_test:5,>,256,0,string,dec,relative; 
reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:1;)


I am getting false positives on completely benign commands, such as

    APPEND "Sent Items" (\Seen) {2345}

My interpretation of the rule is that it fires whenever a message literal 
size prefix specifies more than 256 bytes, which seems wrong. Could 
somebody either confirm my interpretation or point out where I am making 
a mistake?

Cheers,
nnposter


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]