[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] False positive in 3065.1 (IMAP append literal overflow attempt)
From: nnposter () users ! sourceforge ! net
Date: 2005-01-18 22:49:13
Message-ID: 3065.1.1 () () users ! sourceforge ! net
[Download RAW message or body]
The current version:
alert tcp $EXTERNAL_NET any -> $HOME_NET 143
(msg:"IMAP append literal overflow attempt"; flow:established,to_server;
content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi";
byte_test:5,>,256,0,string,dec,relative;
reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:1;)
I am getting false positives on completely benign commands, such as
APPEND "Sent Items" (\Seen) {2345}
My interpretation of the rule is that it fires whenever a message literal
size prefix specifies more than 256 bytes, which seems wrong. Could
somebody either confirm my interpretation or point out where I am making
a mistake?
Cheers,
nnposter
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic